How to remediate – AirWatch API Settings

1. Introduction

The AirWatch API Settings vulnerability concerns the configuration of the AirWatch Web API. This plugin initializes credentials used for checks via the Web API, and misconfiguration can lead to unauthorized access. A successful exploit could compromise confidentiality, integrity, and availability of managed devices and associated data.

2. Technical Explanation

The vulnerability stems from insecure default or improperly configured AirWatch Web API credentials. An attacker with knowledge of the API endpoint and valid credentials can gain unauthorized access to the AirWatch system. There is no specific CVE currently associated, but it relates to weak authentication practices. For example, an attacker could use these credentials to enumerate devices, modify policies, or extract sensitive data. Affected systems include those running AirWatch Web API with improperly configured settings.

• Root cause: Incorrectly set or default AirWatch Web API credentials.
• Exploit mechanism: An attacker uses the compromised credentials to access the AirWatch API and perform unauthorized actions. Example payload would be a standard HTTP request using the valid username/password against the API endpoint.
• Scope: AirWatch Web API installations, specifically versions where credential management is not enforced or properly implemented.

3. Detection and Assessment

Confirming vulnerability involves checking the scan policy configuration for correct credentials. A thorough method includes reviewing all API access logs for unauthorized activity.

• Quick checks: Verify that the ‘Preferences’ section of your scan policy has valid, strong credentials configured for AirWatch Web API access.
• Scanning: Nessus plugin ID 165732 can be used to identify misconfigured AirWatch API settings as an example only.
• Logs and evidence: Review AirWatch audit logs for failed login attempts or unusual API activity related to the Web API user account. Look for event IDs indicating authentication failures or unauthorized access.

4. Solution / Remediation Steps

Fixing this issue requires configuring strong credentials for the AirWatch Web API within your scan policy. These steps ensure secure access to the system.

4.1 Preparation

• There are no dependencies or pre-requisites. Change window needs and approvals should follow standard organizational procedures.

4.2 Implementation

1. Step 1: Log in to your security scanning platform’s administration interface.
2. Step 2: Navigate to the scan policy configuration for AirWatch checks.
3. Step 3: Go to the ‘Preferences’ section within the scan policy settings.
4. Step 4: Update the username and password fields with strong, unique credentials.
5. Step 5: Save the changes to the scan policy.

4.3 Config or Code Example

Before

Username: admin
Password: password123

After

Username: strong_airwatch_user
Password: P@$$wOrd!456

4.4 Security Practices Relevant to This Vulnerability

Practices directly addressing this vulnerability include least privilege and secure defaults. Least privilege limits the impact of compromised credentials, while secure defaults prevent weak configurations.

• Practice 1: Implement least privilege by granting only necessary permissions to API users.
• Practice 2: Enforce strong password policies for all AirWatch accounts, including those used by the Web API.

4.5 Automation (Optional)

No automation is directly applicable due to the UI-based configuration nature of this setting.

5. Verification / Validation

Confirming the fix involves verifying that the new credentials are used for AirWatch checks and that unauthorized access is prevented. A smoke test includes successful execution of an AirWatch scan.

• Post-fix check: Verify in your security scanning platform’s logs that scans against AirWatch are using the newly configured username.
• Re-test: Re-run a vulnerability scan to confirm that the misconfiguration alert is no longer triggered.
• Smoke test: Execute a standard AirWatch scan and verify it completes successfully without errors.
• Monitoring: Monitor AirWatch audit logs for failed login attempts or unauthorized API activity related to the Web API user account.

6. Preventive Measures and Monitoring

Preventive measures include updating security baselines and incorporating checks in CI/CD pipelines. A sensible patch or config review cycle should be established based on the risk assessment.

• Baselines: Update your security baseline to require strong credentials for all AirWatch API access.
• Pipelines: Add a configuration check in your deployment pipeline to ensure that new AirWatch installations are configured with secure default settings.

7. Risks, Side Effects, and Roll Back

Potential risks include scan failures if the credentials are incorrect. Roll back involves restoring the previous version of the scan policy.

• Risk or side effect 1: Incorrect credentials may cause scans to fail. Mitigation is to double-check the entered username and password.
• Roll back: Restore the previous version of the scan policy from your backup.

8. References and Resources

• Vendor advisory or bulletin: VMware AirWatch API Authentication Documentation
• NVD or CVE entry: No specific CVE currently exists for this configuration issue.
• Product or platform documentation relevant to the fix: VMware AirWatch API Authentication Documentation