VMware Authentication Bypass Vulnerability (CVE-2022-22972) Technical Deep Dive

by James Horseman | May 26, 2022 | Attack Blogs

Introduction

VMware recently patched a critical authentication bypass vulnerability in their VMware Workspace ONE Access, Identity Manager and vRealize Automation products (CVE-2022-22972). This vulnerability allows an attacker to login as any known local user.

Patch Examination

The VMSA from VMware doesn’t give many details about the inner workings of this vulnerability. However, they do provide patch and workaround instructions. Digging into the patch is a good starting point. For our purposes, we are using vRealize Automation 7.6 which contains an embedded vIDM. Note that other products and versions have different auth workflows and endpoints. The patch downloads and details can be found here https://kb.vmware.com/s/article/70911. As of this writing, the most recent patch which addresses CVE-2022-22972 is 28.

VMware releases cumulative patches, which means that patch 28 addresses all vulnerabilities since the inception of the product. This makes it rather difficult to find out exactly how the most recent vulnerability is addressed. To remedy this issue, we downloaded patch 27 to compare with patch 28. After extracting the patches, we find that there zip files named patch-vRA-7.6.0-19482496-HF27.content in patch 27 and in patch-vRA-7.6.0-19772459.19640138-HF28.content in patch 28. We extract these zip files to find more of the content of the patches. There aren’t many notable differences in the patch content folders, but we see that the horizon service rpm has moved.

We use rpm2cpio to extract the contents of the two rpms. We find three differences, dbConnection-0.1-jar-with-dependencies.jar, analytics-0.1.war, and frontend-01.war. We extract the .war files to find the following in frontend-01.war:

Frontend war file diff

Notably, we find a new HostHeaderFilter.class file and some differences in web.xml which shows the new HostHeaderFilter is applied to all url patterns.

web.xml diff

We can use a Java decompiler to convert HostHeaderFilter.class into HostHeaderFilter.java:

HostHeaderFilter.java

We see that this filter is denying any request with a Host header that is deemed invalid. Based off of this, we can start sending requests to the application with strange host headers.

Runtime Examination

After unsuccessfully poking around various endpoints, we noticed something strange when sending an invalid host header to the login endpoint. We set the Host header to a bogus value of asdf.

invalid host header request

There is nothing notable about the request itself, but if we look at horizon.log on the appliance, we can see that the application is trying to resolve asdf.

DNS resolve failure

This indicates that the application is trying to make a connection to whatever we put in the Host header.

Running a Login Server

Let’s try to get the app to connect to us to see what kind of information it is trying to send. We wrote the following simple https server:

https server

After inserting our IP address into the host header, we see a new exception in the log:

ssl exception

This failure indicates that the application is not able to validate our certificate. This makes sense because the certificate on our server is self-signed. After we add our certificate to the Java certificate store on the appliance, we can see that the application does indeed connect to us and sends us the login information in an HTTP POST request. Note that an attacker would not have to replicate this step. They could instead host their login server on a public server with a valid certificate.

auth server connection

The application expects a response from the HTTP server to know if the user should be granted access. To account for this, we rewrite our server to respond with a status 200 to any POST request.

https server

With new server, we are able to successfully log in!

successful login

Automating the Exploit

So far we have been using Burp Suite proxy to modify requests sent by a browser, but now we would like to automate this workflow for use in exploit scripts. We ultimately would like to sent a POST to the SAAS/auth/login/embeddedauthbroker/callback with a custom Host header. This endpoint requires some additional metadata to be encoded in the body of the POST. If we examine the source of the login page we find the information we need in hidden form fields.

hidden form fields

Our POC sends requests starting at the /vcac endpoint the same way a browser would and parses the login page to extract these hidden fields. These hidden fields are then encoded into the body of the final POST with the Host header set to our custom login server. The POC then parses the response to extract the authentication cookies. These cookies can be used to execute actions as the chosen user.

This script can be used by bypass authentication on vRealize Automation 7.6 using CVE-2022-22972. Workspace ONE and vIDM have different authentication endpoints, but the crux of the vulnerability remains the same.

Our POC can be found here https://github.com/horizon3ai/CVE-2022-22972

Summary

CVE-2022-22972 is a relatively simple Host header manipulation vulnerability. Motivated attackers would not have a hard time developing an exploit for this vulnerability. A quick search on Shodan.io for the effected VMware applications returns a pretty low count of organizations that expose them to the internet. Of note, the healthcare, education industry, and state government all seem to be a fair amount of the types of organizations that have exposures – putting them at larger risk for current and future exploitation. Organizations should address these issues by immediately following the guidance within the VMware Security Advisory.

How can NodeZero help you?

Let our experts walk you through a demonstration of NodeZero, so you can see how to put it to work for your company.

Schedule a Demo

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	LinkedIn - Used to store information about the time a sync took place with the lms_analytics cookie
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	2 years	LInkedIn Used to store consent of guests regarding the use of cookies for non-essential purposes
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Performance

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_V462VSRXXS	2 years	This cookie is installed by Google Analytics.
6suuid	2 years	6sense is a B2B predictive intelligence engine for marketing and sales.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
visitorId	1 year	Salesforce

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Others

Attack Content

Security Strategies