A security vulnerability in a mobile device management software could allow attackers access to organizations’ internal and cloud networks, researchers warn.
Discovered by Assetnote, the server-side request forgery (SSRF) bug was found in VMWare Workspace One UEM.
Tracked as CVE-2021-22054, the vulnerability could risk credentials and other sensitive data falling into the hands of malicious attackers.
“We discovered a pre-authentication vulnerability that allowed us to make arbitrary HTTP requests, including requests with any HTTP method and request body,” the researchers wrote in a blog post.
“In order to exploit this SSRF, we had to reverse engineer the encryption algorithm used by VMWare Workspace One UEM.”
The team were able to breach “a number of” organizations using the software, accessing both their internal network and cloud services.
Speaking to The Daily Swig, Assetnote’s Subham Shah said: “While I cannot share exact details about what companies were effected, there were a large number of enterprises that were vulnerable to this.
“In some cases, it was possible to use this vulnerability to breach the AWS accounts of the companies.”
Shah added: “The impact of this vulnerability is rather on the organization running the software, instead of the individual users that are using the products.
“Using the SSRF vulnerability, it is possible to reach arbitrary hosts on the internal network. On cloud networks such as AWS, it is possible to reach the metadata IP address and potentially steal security credentials.
“Using these security credentials, it is possible to escalate the vulnerability to gain access to other infrastructure belonging to a company.”
Remediations
The issue, which was first discovered in November 2021, has since been patched by the vendor.
Shah said that while VMware dealt with the issues “in a timely manner”, researchers agreed to the vendor’s request for more time to release more patches and allow customers to patch their instances before disclosure.
An advisory from VMWare contains details of fixes for the software.
Shah advised users of mobile management device software “if possible, do not expose the MDM solution to the external internet”.
