[Security-announce] VMSA-2018-0024 VMware Workspace ONE Unified Endpoint Management Console (A/W Console) update resolves SAML authentication bypass

VMware Security Announcements security-announce at lists.vmware.com
Thu Oct 4 12:40:38 PDT 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Advisory ID: VMSA-2018-0024
Severity:    Critical
Synopsis:    VMware Workspace ONE Unified Endpoint Management Console
             (A/W Console) update resolves SAML authentication bypass
             vulnerability
Issue date:  2018-10-04
Updated on:  2018-10-04 (Initial Advisory)
CVE number:  CVE-2018-6979

1. Summary

   VMware Workspace ONE Unified Endpoint Management Console (A/W Console)
   updates resolve SAML authentication bypass vulnerability

2. Relevant Products

   VMware Workspace ONE Unified Endpoint Management Console (A/W Console)

3. Problem Description

   The VMware Workspace ONE Unified Endpoint Management Console (A/W
   Console) contains a SAML authentication bypass vulnerability which can
   be leveraged during device enrollment. This vulnerability may allow for
   a malicious actor to impersonate an authorized SAML session if
   certificate-based authentication is enabled. This vulnerability is also
   relevant if certificate-based authentication is not enabled, but the
   outcome of exploitation is limited to an information disclosure
   (Important Severity) in those cases.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2018-6979 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware      Product   Running           Replace with/     Mitigation/
   Product     Version   on      Severity  Apply Patch       Workaround
   =========== ========= ======= ========= ================= ==========
   A/W Console 9.7.x     Any     Critical  9.7.0.8           360010178013
   A/W Console 9.6.x     Any     Critical  9.6.0.8           360010178013
   A/W Console 9.5.x     Any     Critical  9.5.0.17          360010178013
   A/W Console 9.4.x     Any     Critical  9.4.0.23          360010178013
   A/W Console 9.3.x     Any     Critical  9.3.0.25          360010178013
   A/W Console 9.2.x     Any     Critical  9.2.3.28          360010178013
   A/W Console 9.1.x     Any     Critical  9.1.5.6           360010178013

4. Solution

   VMware Workspace ONE Unified Endpoint Management Console 9.7.x
   Downloads and Documentation:
   https://resources.workspaceone.com/view/rnvtjd8jltpdhpt663n2/en

   VMware Workspace ONE Unified Endpoint Management Console 9.6.x
   Downloads and Documentation:
   https://resources.workspaceone.com/view/5nzwmkccx2dfbfyw9977/en

   VMware Workspace ONE Unified Endpoint Management Console 9.5.x
   Downloads and Documentation:
   https://resources.workspaceone.com/view/3rhqhqd98nymx33f4shd/en

   VMware Workspace ONE Unified Endpoint Management Console 9.4.x
   Downloads and Documentation:
   https://resources.workspaceone.com/view/q9fsfgs6d23mvtkpm22j/en

   VMware Workspace ONE Unified Endpoint Management Console 9.3.x
   Downloads and Documentation:
   https://resources.workspaceone.com/view/7t25rz3pd8sgzq3vqztx/en

   VMware Workspace ONE Unified Endpoint Management Console 9.2.x
   Downloads and Documentation:
   https://resources.workspaceone.com/view/kb7yzw7hbgyrygjvhmlh/en

   VMware Workspace ONE Unified Endpoint Management Console 9.1.x
   Downloads and Documentation:
   https://resources.workspaceone.com/save/nnqxxqyqt8vmn54mnd8v/en

5. References

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6979
   https://support.workspaceone.com/articles/360010178013

- --------------------------------------------------------------------------

6. Change log

   2018-10-04 - VMSA-2018-0024: Initial security advisory.

- --------------------------------------------------------------------------


7. Contact

   E-mail list for product security notifications and announcements:
   https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   https://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
   VMware Security & Compliance Blog  
   https://blogs.vmware.com/security

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2018 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQSmJMaUX5+xuU/DnNwMRybxVuL2QwUCW7Zr0wAKCRAMRybxVuL2
Q4IIAKDOVUqyvvtZp7fYxIFkO2xIzlV0QACfS3xTRprGFO64IofAotXpoqzFaTc=
=aSD2
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list