A pre-auth SSRF is present in VMWare ONE UEM (AirWatch) version 2105. Exploitation is possible due to hardcoded encryption parameters in the BlobHandler.ashx endpoint present in both the AirWatch console and Catalog applications. When parsing a Url parameter encrypted with the hardcoded encryption parameters, the BlobHandler can be induced to proxy and return output to an attacker for any reachable internal or external host, from the system hosting to ONE UEM application services.
Due to the nature of the Catalog application, this is often exposed to the public Internet, even when access to the Airwatch Console is restricted, increasing the impact of the vulnerability when the Catalog is deployed and exposed to the public Internet.
The CVE for this issue is CVE-2021-22054. The advisory from VMWare can be found here.
An attacker can request arbitrary URLs on behalf of the VMWare Workspace One UEM server. HTTP requests with arbitrary methods and request bodies can be made. This could allow an attacker to pivot to the internal network and/or request cloud metadata endpoints to obtain cloud credentials.
Taken from VMWare’s advisory:
Workspace ONE UEM (formerly known as AirWatch) provides a comprehensive enterprise mobility platform that delivers simplified access to enterprise applications, secures corporate data, and allows mobile productivity. It also works with the public application stores, to handle the provisioning of native mobile applications to mobile devices.
Workspace ONE UEM provides compliance-checking tools to ensure that remote access devices meet corporate security standards. For Office 365, and our integration with the Office 365 Graph API we can manage the DLP settings across the suite of Office applications to ensure security.
The remediation details provided from VMWare’s advisory are satisfactory and will ensure that this vulnerabilty cannot be exploited.
The knowledge base article detailing the patches or workaround to apply can be found here.
The following URLs will request <span class="code_single-line">http://example.com</span> through the SSRF:
Hitting the AWS metadata IP (http://169.254.169.254/latest/meta-data/) through this SSRF:
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Assetnote Security Research Team and Keiran Sampson
The timeline for this disclosure process can be found below:
- Nov 18th, 2021: Disclosure of SSRF to VMware
- Nov 19th, 2021: Initial response from VMware asking us about the context of the discovery
- Nov 19th, 2021: We responded explaining that it was performed as original security research not related to a customer directly
- Nov 19th, 2021: VMware asked us if this bug had been reported to any other parties other than VMWare
- Nov 19th, 2021: We responded confirming that it has been reported to various companies running this software
- Nov 22nd, 2021: VMware requested a list of customers we have reported this bug to so that they can reach out to them
- Nov 23rd, 2021: We responded with a list of customers that received reports from us around this vulnerability
- Nov 24th, 2021: VMware responded confirming receipt of the list of customers we reported issues to
- Dec 2nd, 2021: VMware confirms that patch is being worked on, but requested a video call to discuss extending the disclosure timeline
- Dec 2nd, 2021: We do a Zoom call to discuss how to approach disclosure in a manner that gives VMWare customers enough time to patch
- Dec 4th, 2021: We responded confirming that we can extend the disclosure timeline compared to our standard policy
- Dec 15th, 2021: VMware responds with patch release note information and confirmation of patch being released on 16th of December
- Dec 16th, 2021: VMware releases a patch for this issue https://www.vmware.com/security/advisories/VMSA-2021-0029.html?
- April 27, 2022: VMware have blogged about this issue at https://blogs.vmware.com/security/2022/04/workspace-one-uem-ssrf-cve-2021-22054-patch-alert