SSRF vulnerability in VMWare authentication software could allow access to user data

Post-authentication bug could enable an attacker to infiltrate a user account

A server-side request forgery (SSRF) vulnerability in versions of VMWare authentication software could allow an attacker to obtain administrative JSON Web Tokens (JWT), researchers warn.

The SSRF bug was found in VMware Workspace ONE Access (previously known as Identity Manager), which provides multi-factor authentication, conditional access and single sign-on to SaaS, web, and native mobile apps.

The vulnerability (tracked as CVE-2021-22056), which was assigned a ‘moderate’ severity score of 5.5, could enable a malicious actor with network access to make HTTP requests to arbitrary origins and read the full response.

A blog post reads: “Due to the lack of a slash character, it is possible for an attacker to make HTTP requests to arbitrary origins and read the full response.

“Furthermore, an authorization header gets leaked and hence it is possible for an attacker to weaponize this vulnerability to steal the authorization header of an admin upon viewing an image or making a single click.”

Access all areas

Researchers Shubham Shah and Keiran Sampson, who discovered the bug, said that this could lead to the leaking of JWTs – potentially allowing a malicious actor full access to a vulnerable system.

JWTs are URL safe strings that are used to identify a user. They contain JSON-encoded data, making them convenient for embedding information.

They are typically used as session identifiers for web applications, mobile applications, and API services. They also contain user data directly, unlike traditional session identifiers which simply point to user data on the server-side.

If a user’s JWTs are stolen or compromised, an attacker can potentially gain full access to the user’s account.

More information about the use of JWTs can be found here.

Researchers pointed out that the leaking of the JWT “increases the severity of the issue as this vulnerability can be used in spear phishing attacks against organizations that use VMWare Workspace One Access”.

Shah and Sampson, who discovered the bug, also found a second issue, an authentication bypass vulnerability in VMware Workspace ONE Access (CVE-2021-22057).

The vulnerability, impacting VMware Verify two factor authentication, was also rated as a moderate severity bug with a score of 6.6.

The security issue means a malicious actor who has successfully provided the first-factor in an authentication process (such as a password), may be able to obtain second-factor authentication provided by VMware Verify.

A security advisory contains further details about which versions of the software are at risk.

Patch issued

VMWare has patched both security issues in its latest version of the enterprise software.

In their blog post, Shah and Sampson thanked the vendor for their “serious” efforts to remediate the problem.

The researchers added: “Looking at this research as a whole, one the of the key takeaways is that the visibility into the exposure of enterprise software is often lacking or misunderstood by organizations that deploy this software.

“Many organizations disproportionately focus on in-house software and network issues at the expense of awareness and visibility into the exposure in the software developed by third parties.

“Our experience has shown that there continues to be significant vulnerabilities in widely deployed enterprise software that is often missed.”