CISA urges VMware admins to patch critical flaw in Workspace ONE UEM

CISA has asked VMware admins and users today to patch a critical security vulnerability found in the Workspace ONE UEM console that threat actors could abuse to gain access to sensitive information.

Workspace ONE Unified Endpoint Management (ONE UEM) is a VMware solution for over-the-air remote management of desktops, mobile, rugged, wearables, and IoT devices.

The flaw tracked as CVE-2021-22054 is a server side request forgery (SSRF) vulnerability with a severity rating of 9.1/10 and impacting multiple ONE UEM console versions.

Unauthenticated threat actors can exploit this vulnerability remotely in low-complexity attacks without user interaction.

“A malicious actor with network access to UEM can send their requests without authentication and may exploit this issue to gain access to sensitive information,” VMware explained in a security advisory issued on Thursday.

“CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0029 and apply the necessary mitigation,” CISA said today.

Workaround available

VMware also provides short-term mitigation to block exploitation attempts if you cannot immediately deploy one of the patched versions in the above table.

The temporary workaround requires you to edit the UEM web.config file by following the steps outlined here and restarting all server instances on which this workaround has been applied.

VMware also provides steps to validate that the workaround will successfully block attacks using CVE-2021-22054 exploits.

To test if the workaround was correctly applied, you have to open a web browser and navigate to these URLs (you should only get 404 Not Found responses):

https://[UEM Console URL]/airwatch/blobhandler.ashx?url=test  https://[UEM Console URL]/catalog/blobhandler.ashx?url=test  https://[UEM Console URL]/airwatch/blobhandler.ashx?param1=test&url=test  https://[UEM Console URL]/catalog/blobhandler.ashx?param1=test&url=test

“IIS reset will cause logged-in administrators to the server instance being patched to log out. Administrators should be able to log back in shortly after,” VMware says.