{"id":17619,"date":"2021-12-30T16:09:23","date_gmt":"2021-12-30T15:09:23","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=17619"},"modified":"2022-01-04T08:27:51","modified_gmt":"2022-01-04T07:27:51","slug":"usd-2021-0009","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0009\/","title":{"rendered":"usd-2021-0009"},"content":{"rendered":"\n\n\n[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

usd-2021-0009 | VMware Workspace ONE Intelligent Hub<\/h1>\n

Advisory ID<\/strong>: usd-2021-0009
Affected Product<\/strong>: VMware Workspace ONE Intelligent Hub
Affected Version<\/strong>:<\/span><\/strong> 21.01.0.24 (Android) and 21.01.0 (Build d3dd95e, iOS)
<\/span>Vulnerability Type<\/strong>: CWE-912: Hidden Functionality (Backdoor)
<\/span>Security Risk<\/strong>: MEDIUM (CVSS:3.0\/AV:N\/AC:H\/PR:H\/UI:R\/S:U\/C:H\/I:H\/A:H)
Vendor URL<\/strong>: https:\/\/www.VMware.com\/de\/products\/workspace-one\/intelligent-hub.html<\/a>
Vendor Status<\/strong>: Not fixed \/ Disputed<\/p>\n

The following behavior was reported to VMware in March 2021. After finishing their investigations, VMware informed us that they do not agree that their dynamic compromise detection would violate app store policies regarding run-time code retrieval and execution. Please find their detailed statement here: https:\/\/code.vmware.com\/docs\/13894\/StatementDeviceCompromiseDetection.pdf<\/a>.<\/p>\n

<\/h3>\n

Description<\/h3>\n

The VMware Workspace ONE Intelligent Hub Apps for Android and iOS implement and use a mechanism to dynamically load remote code and execute it on mobile phones without indication to end users.<\/p>\n

According to Google\u2019s Developer Program Policy<\/a>, a backdoor is \u201ecode that allows the execution of unwanted, potentially harmful, remote-controlled operations on a device\u201c.
Apple\u2019s Software Requirements<\/a> for apps enforce that \u201eapps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code which introduces or changes features or functionality of the app, including other apps\u201c.<\/p>\n

\u00a0The VMware Hub applications implement a Dynamic Compromise Detection<\/em> mechanism for which JavaScript code is downloaded from external endpoints and then executed in the application context. Further, native interfaces are exposed to the JavaScript code offering the ability to directly run OS commands.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The Workspace ONE Intelligent Hub Apps download remote contents from the following\u00a0endpoints:<\/p>\n