CISA urges VMware admins to patch critical flaw in Workspace ONE UEM

CISA has asked VMware admins and users today to patch a critical security vulnerability found in the Workspace ONE UEM console that threat actors could abuse to gain access to sensitive information.

Workspace ONE Unified Endpoint Management (ONE UEM) is a VMware solution for over-the-air remote management of desktops, mobile, rugged, wearables, and IoT devices.

The flaw tracked as CVE-2021-22054 is a server side request forgery (SSRF) vulnerability with a severity rating of 9.1/10 and impacting multiple ONE UEM console versions.

Unauthenticated threat actors can exploit this vulnerability remotely in low-complexity attacks without user interaction.

"A malicious actor with network access to UEM can send their requests without authentication and may exploit this issue to gain access to sensitive information," VMware explained in a security advisory issued on Thursday.

"CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0029 and apply the necessary mitigation," CISA said today.

Impacted Version Fixed Version
2109 Workspace ONE UEM patch 21.9.0.13 and above
2105 Workspace ONE UEM patch 21.5.0.37 and above
2102 Workspace ONE UEM patch 21.2.0.27 and above
2101 Workspace ONE UEM patch 21.1.0.27 and above
2011 Workspace ONE UEM patch 20.11.0.40 and above
2010 Workspace ONE UEM patch 20.10.0.23 and above
2008 Workspace ONE UEM patch 20.8.0.36 and above
2007 Workspace ONE UEM patch 20.7.0.17 and above

Workaround available

VMware also provides short-term mitigation to block exploitation attempts if you cannot immediately deploy one of the patched versions in the above table.

The temporary workaround requires you to edit the UEM web.config file by following the steps outlined here and restarting all server instances on which this workaround has been applied.

VMware also provides steps to validate that the workaround will successfully block attacks using CVE-2021-22054 exploits.

To test if the workaround was correctly applied, you have to open a web browser and navigate to these URLs (you should only get 404 Not Found responses):

https://[UEM Console URL]/airwatch/blobhandler.ashx?url=test
https://[UEM Console URL]/catalog/blobhandler.ashx?url=test
https://[UEM Console URL]/airwatch/blobhandler.ashx?param1=test&url=test
https://[UEM Console URL]/catalog/blobhandler.ashx?param1=test&url=test

"IIS reset will cause logged-in administrators to the server instance being patched to log out. Administrators should be able to log back in shortly after," VMware says.

Related Articles:

CISA urges software devs to weed out SQL injection vulnerabilities

VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion

WP Automatic WordPress plugin hit by millions of SQL injection attacks

Maximum severity Flowmon bug has a public exploit, patch now

Critical Forminator plugin flaw impacts over 300k WordPress sites