usd-2021-0009 | VMware Workspace ONE Intelligent Hub

Advisory ID: usd-2021-0009
Affected Product: VMware Workspace ONE Intelligent Hub
Affected Version: (Android) and 21.01.0 (Build d3dd95e, iOS)
Vulnerability Type
: CWE-912: Hidden Functionality (Backdoor)
Security Risk: MEDIUM (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)
Vendor URL:
Vendor Status: Not fixed / Disputed

The following behavior was reported to VMware in March 2021. After finishing their investigations, VMware informed us that they do not agree that their dynamic compromise detection would violate app store policies regarding run-time code retrieval and execution. Please find their detailed statement here:


The VMware Workspace ONE Intelligent Hub Apps for Android and iOS implement and use a mechanism to dynamically load remote code and execute it on mobile phones without indication to end users.

According to Google’s Developer Program Policy, a backdoor is „code that allows the execution of unwanted, potentially harmful, remote-controlled operations on a device“.
Apple’s Software Requirements for apps enforce that „apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps“.

 The VMware Hub applications implement a Dynamic Compromise Detection mechanism for which JavaScript code is downloaded from external endpoints and then executed in the application context. Further, native interfaces are exposed to the JavaScript code offering the ability to directly run OS commands.

Proof of Concept (PoC)

The Workspace ONE Intelligent Hub Apps download remote contents from the following endpoints:

The following request and response illustrate the communication with these endpoints:

GET /api/v1/sdk/compliance/rules/an5r0i5payl0adg3n3rat0R HTTP/1.1


HTTP/1.1 200
Date: Tue, 02 Mar 2021 12:33:29 GMT
Content-Type: application/json
Connection: close
vary: accept-encoding
Content-Length: 13719

"data" : {
"id" : "an5r0i5payl0adg3n3rat0R",
"rules" : {
"payload" : "MIInbAYJKoZIhvcNAQcCoIInXTCCJ1kCAQE[...]",
"payloadVersion" : "1"
"created_at" : 1588726763166,
"created_by" : "thor",
"modified_at" : 1588786684777,
"modified_by" : "thor"

The payload consists of a PKCS#7 encoded and signed blob. During our assessment it was not possible to bypass the signature validation and inject malicious code.This payload can be decoded using OpenSSL, an exemplary excerpt of the downloaded JavaScript code is presented in
the following:

$ cat payload.b64 | base64 -d > payload.txt
$ openssl asn1parse -inform der -in payload.txt -dump

Excerpt of decoded payload:

function u() {
  var t = [], s = native_Exec("id");
  if (null != s && s.length > 0)
     for (i = 0; i < s.length; i++)
       -1 != s[i].indexOf("(root)") && (t.push("90413-1"),
     k("E", "Root detected code 90413-1"));
     return null != (s = native_Exec("su -c ls")) && s.length > 0 && (t.push("90411-1"),
       k("E", "Root detected code 90411-1")),
       null != (s = native_Exec("su")) && s.length > 0 && (t.push("90412-1"),


As the above snippet shows, the application provides native interfaces to the JavaScript code. For instance, the native_Exec() function appears to be a wrapper for the C function system() which allows the execution of arbitrary operating system commands.

The aforementioned mechanism enables VMware to run arbitrary commands which are retrieved from external resources on the user’s device, resulting in backdoor capabilities.


It is recommended to follow Apple's and Google's guidelines regarding secure app development and distribution. Further, it is recommended to include the entire code within the application bundle.





This security vulnerability was found by Leif Enders and Lauritz Holtmann of usd AG.