CVE-2022-22972(VM_access_Identity_authentication_bypass)

Vulnerability Description

VMware is a provider of global desktop to data center virtualization solutions, offering products including our most familiar VMware Workstation, a desktop virtual computing software. The introduction of multiple products involved in this vulnerability is as follows:

VMware Workspace ONE Access is an intelligent driven digital workspace platform developed by VMware company, which enables easy and secure delivery and management of any application anytime, anywhere on any device. VMware vRealize Automation is an automated deployment solution cloud management platform. VMware Cloud Foundation is a hybrid cloud platform of VMware company. The vRealize Suite Lifecycle Manager is the vRealize Suite lifecycle and content management platform.

On May 18th, VMware released a notice (VMSA-2022-0014) to address two vulnerabilities in multiple VMware products, including CVE-2022-22972, which has certain flaws in identity authentication processing. Remote attackers can bypass authentication by forging relevant request information, thereby gaining administrative privileges for related applications.

Utilization scope

  • VMware Workspace ONE Access 21.08.0.1, 21.08.0.0,20.10.0.1, 20.10.0.0
  • VMware Identity Manager(vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3
  • VMware vRealize Automation(vIDM) 7.6
  • VMware Cloud Foundation (vIDM) 4.4, 4.3.x, 4.2.x, 4.1, 4.0.x
  • VMware Cloud Foundation (vRA) 3.x
  • vRealize Suite Lifecycle Manager(vIDM) 8.x

Vulnerability Analysis

Environmental construction

Starting from the official website( https://customerconnect.vmware.com/downloads/details?downloadGroup=WS1A_ONPREM_210801&productId=1269 )Download VMware Workspace ONE Access 20.10.0.0 OVA file

Use VMware Workstation to import OVA files and configure FQDN (set the host name to a random domain name, otherwise an error will be reported when configuring the database in the future)

image-20230918151916932

After successful import, initialization will occur

image-20230918152059288

Visit https://<Domain Name: 8443>and follow the prompts to configure your account and database.

image-20230918155350410

Configure remote debugging

To build a dynamic debugging environment, it is necessary to save the relevant source code locally and enable remote debugging using IDEA

The required lib file is located in the/usr/local/horizon/lib/embeddedauthadapters directory.

image-20230918162425142

Configure remote debugging for IDEA.

image-20230918162456080

Then write the remote debugging commands in the box to/opt/vmware/region/workspace/bin/setenv.sh

image-20230918162632302

Debugging analysis

It can be found through logs that the jar package with vulnerabilities is local-password-auth-adapter-0.1.jar

According to the log records, the specific login used is the com. vmware. horizon. adapters. local. LocalPasswordAuthAdapter # login function

image-20230918163450474

After obtaining account password and other information, extract the parameter endpoint through the getLocalUrl function

Follow up on the com.vmware.horizon.adapters.local.LocalPasswordAuthAdapter#getLocalUrl

image-20230918163654242

In the getLocalUrl function, a special HTTPS link class will be constructed for the request, and the actual concatenation result is https://{host}:443/SAAS/API/1.0/REST/auth/local/login

Therefore, we can find that the domain name of this request can be controlled by us

Then we enter the subsequent authenticate function for identity authentication

com.vmware.horizon.adapters.local.LocalPasswordService#authenticate

image-20230918165912570

Through debugging and judging the logic of the function, we have found that as long as the return value is 200 during a post request, the account password will be considered correct and the login will be successful

Based on the previous analysis of the getLocalUrl function, we know that the domain name of the request can be controlled by us. Therefore, we only need to build a service and respond with a 200 status code for any request

Reference

https://paper.seebug.org/2031/#_1


CVE-2022-22972(VM_access_Identity_authentication_bypass)
https://pho3n1x-web.github.io/2023/09/18/CVE-2022-22972(VM_access_ Identity_authentication_bypass)/
Author
Pho3n1x
Posted on
September 18, 2023
Licensed under