CVE-2021-22002
📋 TL;DR
This vulnerability allows attackers to bypass authentication and access sensitive configuration and diagnostic endpoints in VMware Workspace ONE Access and Identity Manager by manipulating host headers. Organizations running affected VMware products with network access to port 443 are at risk.
💻 Affected Systems
- VMware Workspace ONE Access
- VMware Identity Manager
📦 What is this software?
Vrealize Suite Lifecycle Manager by Vmware
Vrealize Suite Lifecycle Manager by Vmware
Vrealize Suite Lifecycle Manager by Vmware
Vrealize Suite Lifecycle Manager by Vmware
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to access sensitive configuration data, modify system settings, and potentially gain administrative control over the affected VMware products.
Likely Case
Unauthorized access to sensitive configuration information and diagnostic data, potentially enabling further attacks or reconnaissance.
If Mitigated
Limited impact with proper network segmentation and access controls preventing unauthorized access to port 443.
🎯 Exploit Status
Exploitation requires network access to port 443 and ability to manipulate HTTP host headers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.08.0.1 and later
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0016.html
Restart Required: Yes
Instructions:
1. Download and install VMware Workspace ONE Access/Identity Manager version 21.08.0.1 or later. 2. Apply the patch following VMware's installation instructions. 3. Restart the affected services or systems as required.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to port 443 of affected systems to trusted sources only.
Host Header Validation
allImplement web application firewall rules to validate and sanitize host headers.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks
- Deploy web application firewall with rules to block malicious host header manipulation
🔍 How to Verify
Check if Vulnerable:
Test if /cfg endpoints are accessible via port 443 with manipulated host headers using tools like curl or Burp Suite.Check Version:
Check the VMware product administration interface or use vendor-specific commands to verify installed version.Verify Fix Applied:
Verify the system is running version 21.08.0.1 or later and test that /cfg endpoints are no longer accessible via unauthorized methods.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /cfg endpoints
- Suspicious host header values in web logs
Network Indicators:
- Unusual traffic patterns to port 443 with manipulated HTTP headers
- Access to /cfg endpoints from unauthorized sources
SIEM Query:
source_port=443 AND (uri_path="/cfg*" OR http_host CONTAINS suspicious_value)