CVE-2022-22972(VM_access_Identity_authentication_bypass)
Vulnerability Description
VMware is a provider of global desktop to data center virtualization solutions, offering products including our most familiar VMware Workstation, a desktop virtual computing software. The introduction of multiple products involved in this vulnerability is as follows:
VMware Workspace ONE Access is an intelligent driven digital workspace platform developed by VMware company, which enables easy and secure delivery and management of any application anytime, anywhere on any device. VMware vRealize Automation is an automated deployment solution cloud management platform. VMware Cloud Foundation is a hybrid cloud platform of VMware company. The vRealize Suite Lifecycle Manager is the vRealize Suite lifecycle and content management platform.
On May 18th, VMware released a notice (VMSA-2022-0014) to address two vulnerabilities in multiple VMware products, including CVE-2022-22972, which has certain flaws in identity authentication processing. Remote attackers can bypass authentication by forging relevant request information, thereby gaining administrative privileges for related applications.
Utilization scope
- VMware Workspace ONE Access 21.08.0.1, 21.08.0.0,20.10.0.1, 20.10.0.0
- VMware Identity Manager(vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3
- VMware vRealize Automation(vIDM) 7.6
- VMware Cloud Foundation (vIDM) 4.4, 4.3.x, 4.2.x, 4.1, 4.0.x
- VMware Cloud Foundation (vRA) 3.x
- vRealize Suite Lifecycle Manager(vIDM) 8.x
Vulnerability Analysis
Environmental construction
Starting from the official website( https://customerconnect.vmware.com/downloads/details?downloadGroup=WS1A_ONPREM_210801&productId=1269 )Download VMware Workspace ONE Access 20.10.0.0 OVA file
Use VMware Workstation to import OVA files and configure FQDN (set the host name to a random domain name, otherwise an error will be reported when configuring the database in the future)
After successful import, initialization will occur
Visit https://<Domain Name: 8443>and follow the prompts to configure your account and database.
Configure remote debugging
To build a dynamic debugging environment, it is necessary to save the relevant source code locally and enable remote debugging using IDEA
The required lib file is located in the/usr/local/horizon/lib/embeddedauthadapters directory.
Configure remote debugging for IDEA.
Then write the remote debugging commands in the box to/opt/vmware/region/workspace/bin/setenv.sh
Debugging analysis
It can be found through logs that the jar package with vulnerabilities is local-password-auth-adapter-0.1.jar
According to the log records, the specific login used is the com. vmware. horizon. adapters. local. LocalPasswordAuthAdapter # login function
After obtaining account password and other information, extract the parameter endpoint through the getLocalUrl function
Follow up on the com.vmware.horizon.adapters.local.LocalPasswordAuthAdapter#getLocalUrl
In the getLocalUrl function, a special HTTPS link class will be constructed for the request, and the actual concatenation result is https://{host}:443/SAAS/API/1.0/REST/auth/local/login
Therefore, we can find that the domain name of this request can be controlled by us
Then we enter the subsequent authenticate function for identity authentication
com.vmware.horizon.adapters.local.LocalPasswordService#authenticate
Through debugging and judging the logic of the function, we have found that as long as the return value is 200 during a post request, the account password will be considered correct and the login will be successful
Based on the previous analysis of the getLocalUrl function, we know that the domain name of the request can be controlled by us. Therefore, we only need to build a service and respond with a 200 status code for any request