Jan 17, 2022
When authenticated as an administrator user inside VMWare Workspace One Access, it is possible to send HTTP requests to arbitrary URLs and read the full HTTP response for these requests. When the HTTP requests are being made, an authentication header (Authorization) is sent, which includes an admin-level JWT.
Due to the lack of a slash character, it is possible for an attacker to make HTTP requests to arbitrary origins and read the full response. Furthermore, an authorization header gets leaked and hence it is possible for an attacker to weaponize this vulnerability to steal the authorization header of an admin upon viewing an image or making a single click.
identity-manager-20.01.0.0-15509389_OVF10.ova
- 20.01
Admin token disclosure affects 20.01, but not later versions.
Later versions are still vulnerable to the SSRF vulnerability.
Workspace ONE Access, (formerly VMware Identity Manager), provides multi-factor authentication, conditional access and single sign-on to SaaS, web and native mobile apps.
VMWare’s advisory can be found here.
As per VMWare’s advisory, the following versions are considered fixed:
Fixed Version:
VMware Workspace ONE Access 21.08.0.1
https://docs.vmware.com/en/VMware-Workspace-ONE-Access/21.08.0.1/rn/vmware-workspace-one-access-210801-release-notes/index.html
VMware Workspace ONE Access 21.08, 20.10.0.1, 20.10
https://kb.vmware.com/s/article/87183
VMware Identity Manager (vIDM) 3.3.5, 3.3.4, 3.3.3
https://kb.vmware.com/s/article/87185
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22057
FIRST CVSSv3 Calculator:
CVE-2021-22056 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
CVE-2021-22057 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
https://access.reverse.test/SAAS/API/1.0/REST/system/health/instanceHealth?hostName=access.reverse.test&[email protected]
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Assetnote Security Research Team and Keiran Sampson
The timeline for this disclosure process can be found below:
Find out how Assetnote can help you lock down your external attack surface.
Use the lead form below, or alternatively contact us via email by clicking here.