Encrypting our way to SSRF in VMWare Workspace One UEM (CVE-2021-22054)
The advisory for this issue can be found here.
The CVE for this issue is CVE-2021-22054. The advisory from VMWare can be found here.
This security research was performed by Keiran Sampson, James Hebden and Shubham Shah.
Introduction
Hundreds, if not thousands of enterprises, have to deploy mobile device management software to manage their ever growing fleet of mobile devices used by employees. The best thing about this from an offensive security standpoint, is that the software typically is exposed directly to the internet, to ease user on-boarding and improve day-to-day usage and device coverage.
With this logic, we found ourselves auditing the source code of VMWare Workspace One UEM. You may remember this software when it was named “AirWatch”, before it was acquired by VMWare.
We discovered a pre-authentication vulnerability that allowed us to make arbitrary HTTP requests, including requests with any HTTP method and request body. In order to exploit this SSRF, we had to reverse engineer the encryption algorithm used by VMWare Workspace One UEM.
Through this vulnerability, we were able to breach a number of our customers through our Attack Surface Management Platform, as well as numerous Fortune 500 companies through bug bounty programs.
What is VMWare Workspace One UEM (AirWatch)?
Per VMWare’s marketing materials:
Workspace ONE UEM (formerly known as AirWatch) provides a comprehensive enterprise mobility platform that delivers simplified access to enterprise applications, secures corporate data, and allows mobile productivity. It also works with the public application stores, to handle the provisioning of native mobile applications to mobile devices.
Workspace ONE UEM provides compliance-checking tools to ensure that remote access devices meet corporate security standards. For Office 365, and our integration with the Office 365 Graph API we can manage the DLP settings across the suite of Office applications to ensure security.
Code Analysis
VMWare Workspace One UEM is compose of a bundle of .NET applications. One of the first steps when it comes to assessing .NET applications is assessing the mappings found in the <span class="code_single-line">web.config</span> files.
The folder structure for the applications deployed as a part of UEM looked like the following:
One common route we found across many of the <span class="code_single-line">web.config</span> files within these directories was the route below:
There were a large number of DLL files associated with each application deployed as a part of AirWatch. For this vulnerability, we focused on <span class="code_single-line">WanderingWiFi.AirWatch.Console.Web</span>, however later we will describe the variants we discovered as well.
Loading up the DLLs for WanderingWiFi.AirWatch.Console.Web into ILSpy and exporting all of the source code, we were in a good position to start auditing.
Within <span class="code_single-line">BlobHandler.cs</span>, we found the following source code:
While the BlobHandler’s main functionality was to serve cached files, it seemed that another function of this handler was to also proxy HTTP requests. The logic for the proxying functionality looked like this:
- Obtain an encrypted URL via the <span class="code_single-line">Url</span> parameter and assign it the variable <span class="code_single-line">EncryptedUrl</span>.
- If this variable is not empty, then call the <span class="code_single-line">RenderProxyResponse()</span> function.
- If the <span class="code_single-line">EncryptedUrl</span> variable is not null or empty, decrypt the input and call <span class="code_single-line">ProxyService.ProxyServerResponse(HttpContext.Current, url);</span>
The <span class="code_single-line">DataEncryption.DecryptString</span> function stood out to us. It was custom code, rather than a 3rd party of standard library.
At this point, we were wondering, how does the <span class="code_single-line">DataEncryption.DecryptString</span> function actually work?
We continued to trace the code flow through several Decrypt methods, until we wound up at at the <span class="code_single-line">GetDecryptorsForCipherText()</span> function.
Here we can see that it takes our now base64 decoded <span class="code_single-line">Url</span> parameter and attempts to split it out into its key components:
<span class="code_single-line">{cryptoVersion}:{keyVersion}:{text}:{cipherText}</span>
It then calls <span class="code_single-line">GetMasterKey()</span> with either the user-provided <span class="code_single-line">keyVersion</span> or NULL if only a cipherText is provided.
This function looked like the following
If we’re reading this correctly, the <span class="code_single-line">MasterKeyResolver</span> has the functionality to read the encryption keys from the cache or the database.
However it first checks if the key version is “kv0” or NULL, and in that case instead returns a DefaultMasterKey.
What is the DefaultMasterKey? A set of hardcoded encryption keys…
This means that if we can encrypt a payload using these same keys, and set the <span class="code_single-line">KeyVersion</span> to “kv0” then we can trigger this code path and have it decrypted using the DefaultMasterKey.
Now that we have explored the encryption/decryption algorithm, we were feeling confident about building our own tool to encrypt strings.
Making a PoC
Our goal was to create a program that would generate encrypted strings, provided an arbitrary URL.
In order to achieve this, we wrote some C# code which imported the AirWatch libraries and directly called the encryption functions:
Since we are unable to distribute the files necessary for the exploitation of this issue, building a PoC for this issue will require you to obtain the following DLL files before compiling the C# code above:
Show DLLs
After writing the C# code and building a binary to encrypt arbitrary strings, we built a Python script to act as a wrapper around the binary. This Python script allowed for quick exploitation of this security issue:
Discovering the Variants
Since the <span class="code_single-line">BlobHandler.ashx</span> file existed in multiple applications deployed as a part of UEM, we wanted to narrow down where else our exploit worked.
We identified that the following endpoints were vulnerable to this SSRF:
- <span class="code_single-line">AirWatch/BlobHandler.ashx - WanderingWiFi.AirWatch.Console.Web</span>
- <span class="code_single-line">Catalog/BlobHandler.ashx - AW.Console.Web.Mobile.Catalog</span>
While there were other instances of <span class="code_single-line">BlobHandler.ashx</span> within the applications deployed for AirWatch, only the two above had the proxying functionality.
Through exploitation in the wild, we found that the endpoint under <span class="code_single-line">Catalog</span> was more likely to be accessible in locked down UEM instances.
PoCs
The following URLs will request <span class="code_single-line">http://example.com</span> through the SSRF:
Hitting the AWS metadata IP (http://169.254.169.254/latest/meta-data/) through this SSRF:
In order to exploit this issue, we were able to run the tool we created, requesting <span class="code_single-line">example.com</span> via the SSRF:
Vendor Response
VMWare dealt with these issues seriously, and we appreciated their efforts in remediating this vulnerability and corresponding with us.
We reported this issue to VMWare on the 18th of November, 2021.
The timeline for disclosure can be found below:
- Nov 18th, 2021: Disclosure of SSRF to VMware
- Nov 19th, 2021: Initial response from VMware asking us about the context of the discovery
- Nov 19th, 2021: We responded explaining that it was performed as original security research not related to a customer directly
- Nov 19th, 2021: VMware asked us if this bug had been reported to any other parties other than VMWare
- Nov 19th, 2021: We responded confirming that it has been reported to various companies running this software
- Nov 22nd, 2021: VMware requested a list of customers we have reported this bug to so that they can reach out to them
- Nov 23rd, 2021: We responded with a list of customers that received reports from us around this vulnerability
- Nov 24th, 2021: VMware responded confirming receipt of the list of customers we reported issues to
- Dec 2nd, 2021: VMware confirms that patch is being worked on, but requested a video call to discuss extending the disclosure timeline
- Dec 2nd, 2021: We do a Zoom call to discuss how to approach disclosure in a manner that gives VMWare customers enough time to patch
- Dec 4th, 2021: We responded confirming that we can extend the disclosure timeline compared to our standard policy
- Dec 15th, 2021: VMware responds with patch release note information and confirmation of patch being released on 16th of December
- Dec 16th, 2021: VMware releases a patch for this issue https://www.vmware.com/security/advisories/VMSA-2021-0029.html?
- April 27, 2022: VMware have blogged about this issue at https://blogs.vmware.com/security/2022/04/workspace-one-uem-ssrf-cve-2021-22054-patch-alert
Remediation Advice
The remediation details provided from VMWare’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.
The knowledge base article detailing the patches or workaround to apply can be found here.
Conclusion
There are often constraints that require certain software to be internet facing. In this case, MDM software such as VMWare Workspace One UEM is deployed in one of two ways. Either via the SaaS offering from VMWare or on premise.
In both scenarios, this vulnerability was exploitable. An attacker could have used this vulnerability to gain access to critical internal networks. The fact that this SSRF also allowed you to use arbitrary HTTP methods and request bodies made it even more dangerous.
When exploited in the wild, instances of UEM deployed on AWS, often had an IAM role with significant access to the AWS environment it was deployed in. We were able to breach a number of our customers and Fortune 500 companies through this vulnerability.
As always, customers of our Attack Surface Management platform were the first to know when this vulnerability affected them. We continue to perform original security research in an effort to inform our customers about zero-day vulnerabilities.
More Like This
Ready to get started?
Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.