Advisory: VMWare Workspace One Access (CVE-2021-22056)

Jan 17, 2022

Summary

When authenticated as an administrator user inside VMWare Workspace One Access, it is possible to send HTTP requests to arbitrary URLs and read the full HTTP response for these requests. When the HTTP requests are being made, an authentication header (Authorization) is sent, which includes an admin-level JWT.

Impact

Due to the lack of a slash character, it is possible for an attacker to make HTTP requests to arbitrary origins and read the full response. Furthermore, an authorization header gets leaked and hence it is possible for an attacker to weaponize this vulnerability to steal the authorization header of an admin upon viewing an image or making a single click.

Version Tested Against

identity-manager-20.01.0.0-15509389_OVF10.ova - 20.01

Admin token disclosure affects 20.01, but not later versions.

Later versions are still vulnerable to the SSRF vulnerability.

Product Description

Workspace ONE Access, (formerly VMware Identity Manager), provides multi-factor authentication, conditional access and single sign-on to SaaS, web and native mobile apps.

Solution

VMWare’s advisory can be found here.

As per VMWare’s advisory, the following versions are considered fixed:

Fixed Version:

VMware Workspace ONE Access 21.08.0.1
https://docs.vmware.com/en/VMware-Workspace-ONE-Access/21.08.0.1/rn/vmware-workspace-one-access-210801-release-notes/index.html

VMware Workspace ONE Access 21.08, 20.10.0.1, 20.10

https://kb.vmware.com/s/article/87183

 

VMware Identity Manager (vIDM) 3.3.5, 3.3.4, 3.3.3
https://kb.vmware.com/s/article/87185

 

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22056

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22057

 

FIRST CVSSv3 Calculator:
CVE-2021-22056 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
CVE-2021-22057 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Vulnerabilities

https://access.reverse.test/SAAS/API/1.0/REST/system/health/instanceHealth?hostName=access.reverse.test&[email protected]

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.

Credits

Assetnote Security Research Team and Keiran Sampson

Timeline

The timeline for this disclosure process can be found below:

  • Oct 5th, 2021: Disclosure of account takeover via post auth SSRF
  • Oct 5th, 2021: Response from VMWare confirming receipt of vulnerability
  • Nov 9th, 2021: Assetnote Security Research team requests an update on the issue
  • Nov 12th, 2021: Response from VMWare confirming that vulnerability is being worked on
  • Dec 8th, 2021: Assetnote Security Research team requests an update on the issue
  • Dec 8th, 2021: Response from VMWare confirming they could reproduce SSRF but not admin token disclosure on latest version of Workspace One Access
  • Dec 10th, 2021: Response from VMWare confirming progress is being made on fixes
  • Dec 17th, 2021: VMWare publishes advisory