VMware has revealed a terrible trio of critical-rated flaws in Workspace ONE Assist for Windows – a product used by IT and help desk staff to remotely take over and manage employees’ devices.
The flaws are all rated 9.8 out of 10 in CVSS severity. A miscreant able to reach a Workspace ONE Assist deployment, either over the internet or on the network, can exploit any of these three bugs to obtain administrative access without the need to authenticate. At which point the intruder or rogue insider can contact users to offer them assistance that is anything but helpful, such as seizing control of devices.
It’s all possible because Workspace ONE Assist’s authentication code appears to be – let’s not sugar coat this – borked.
Source: The Register