External risk intelligence

VMware Workspace ONE UEM Server-Side Request Forgery Vulnerability

CVE advisoryKnown Exploit

CVE-2021-22054

A server-side request forgery vulnerability in VMware Workspace ONE UEM console allows unauthenticated actors with network access to expose sensitive information, impacting an organization's data confidentiality and presenting a business risk.

4Halo Surface Signal

Server-Side Request Forgery

Vmware Workspace One Uem Console

20.0.8.0 to before 20.0.8.3620.11.0.0 to before 20.11.0.4021.2.0.0 to before 21.2.0.2721.5.0.0 to before 21.5.0.37

External exposure likelihood

Halo Surface Signal score for CVE-2021-22054

VMware Workspace ONE UEM is an enterprise management platform commonly deployed as an internet-facing service to manage mobile devices and endpoints remotely. Due to its role as a centralized gateway for device administration and configuration, it is frequently exposed to the public internet to support remote management functionality.

Horizon Alert

Summary of the vulnerability and why it matters

The VMware Workspace ONE UEM console contains a server-side request forgery vulnerability. This flaw allows a malicious actor with network access to send unauthenticated requests, potentially exposing sensitive information. The impact can affect an organization's data confidentiality.

Vulnerable VMware Workspace ONE UEM console
Unauthenticated request execution
Sensitive information exposure

Attack Path

How an attacker could exploit the issue

A server-side request forgery vulnerability in VMware Workspace ONE UEM console allows an unauthenticated, network-accessible attacker to make requests on behalf of the system. This can lead to the exposure of sensitive information to the attacker. The vulnerability exists in multiple versions of the Workspace ONE UEM console.

Exposed system accessible externally
Unauthenticated attacker triggers vulnerability
Malicious requests access sensitive data

Live Threat

Current exploitation, exposure, and threat context

A server-side request forgery vulnerability in VMware Workspace ONE UEM console could allow a malicious actor to access sensitive information. This could occur if the actor has network access to the UEM system and can send unauthenticated requests. The potential for unauthorized access to sensitive data presents a significant business risk.

Attackers with no specific skill needed.
Network access to the UEM system.
High business risk, treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in VMware Workspace ONE UEM console could allow a malicious actor to gain access to sensitive information by sending unauthenticated requests. Organizations should prioritize identifying and addressing affected systems to mitigate potential business risk. Swift action can help prevent unauthorized access and protect critical data.

Find affected Workspace ONE UEM assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What types of VMware Workspace ONE UEM console versions are affected by CVE-2021-22054?

CVE-2021-22054 affects multiple versions of VMware Workspace ONE UEM console, including versions 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37.

What is the weakness class associated with CVE-2021-22054, and how does it enable exploitation?

The weakness class for CVE-2021-22054 is CWE-918, which describes Server-Side Request Forgery (SSRF). This allows a malicious actor to send requests without authentication, potentially leading to unauthorized access to sensitive information by making the UEM system access resources on the actor's behalf.

How can an attacker exploit the server-side request forgery vulnerability in VMware Workspace ONE UEM console?

An attacker with network access to the UEM system can exploit this vulnerability by sending unauthenticated requests. This allows them to access sensitive information that the UEM system has permission to access, without needing any specific privileges on the console itself.

Why is CVE-2021-22054 considered a relevant threat, particularly for internet-facing systems?

VMware Workspace ONE UEM console is often exposed to the internet to facilitate remote device management. The SSRF vulnerability (CVE-2021-22054) allows unauthenticated, network-accessible attackers to compromise sensitive data, making it a significant threat for organizations using this platform externally. The CISA has also listed this vulnerability on its Known Exploited Vulnerabilities Catalog.

What practical steps should organizations take to respond to the VMware Workspace ONE UEM console vulnerability?

Organizations should prioritize identifying all affected Workspace ONE UEM assets. They should then take steps to reduce or isolate the risk, such as applying vendor-provided patches or mitigations. After fixing the vulnerability, it's crucial to verify the remediation and continuously monitor the systems to prevent future exploitation.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.