VMware vSphere Hypervisor (ESXi) HTTP Response Injection
Posted on 07 August 2016
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-063 Product: VMware vSphere Hypervisor (ESXi) Manufacturer: VMware, Inc. Affected Version(s): VMware ESXi 6.0.0 build 3380124 (Update 1) VMware vCenter Server 6.0 U2 Tested Version(s): VMware ESXi 6.0.0 build 3380124 (Update 1) Vulnerability Type: Improper Input Validation (CWE-20) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2016-07-01 Solution Date: 2016-08-04 Public Disclosure: 2016-08-05 CVE Reference: CVE-2016-5331 Authors of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: VMware vSphere Hypervisor is a type-1 hypervisor for serving virtual machines. The manufacturer describes the product as follows (see [1]): "Virtualize even the most resource-intensive applications with peace of mind. VMware vSphere Hypervisor is based on VMware ESXi, the hypervisor architecture that sets the industry standard for reliability and performance." Due to improper input validation, the web server of VMware ESXi 6 is prone to HTTP response injection attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found out that the web server of VMware ESXi 6 is vulnerable to HTTP response injection attacks, as arbitrarily supplied URL parameters are copied in the HTTP header Location of the server response without sufficient input validation. Thus, an attacker can create a specially crafted URL with a specific URL parameter that injects attacker-controlled data to the response of the VMware ESXi web server. Depending on the context, this allows different attacks. If such a URL is visited by a victim, it may for example be possible to set web browser cookies in the victim's web browser, execute arbitrary JavaScript code, or poison caches of proxy servers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following URL is a simple attack vector to illustrate the HTTP response header injection vulnerability by setting an attacker-controlled session cookie named "test" with the value "31337" within the victim's web browser: https://<HOST>/?syss%0d%0aset-cookie:test=31337%0d%0at=1 The corresponding HTTP GET request and the VMware ESXi web server response are as follows: GET /?syss%0d%0aset-cookie:test=31337%0d%0at=1 HTTP/1.1 Host: <HOST> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: close HTTP/1.1 303 See Other Date: Thu, 30 Jun 2016 15:12:23 GMT Connection: close Location: /?syss set-cookie:test=31337 t=1/ X-Frame-Options: DENY Content-Length: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer VMware has fixed the reported security vulnerability and disclosed detailed information about the issue and a software update for affected products in its security advisory VMSA-2016-0010 [4]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-07-01: Vulnerability reported to manufacturer 2016-07-01: Manufacturer acknowledges e-mail with SySS security advisory 2016-07-14: Manufacturer further investigates the reported security issue 2016-07-22: Manufacturer announces disclosure of this security issue 2016-08-04: Public release of VMware security advisory VMSA-2016-0010 and security update 2016-08-05: Public release of SySS security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for VMware vSphere Hypervisor (ESXi) https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere_hypervisor_esxi/6_0 [2] SySS Security Advisory SYSS-2016-063 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-063.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy/ [4] VMware Security Advisory VMSA-2016-0010 http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was independently found and reported by Matthias Deeg of SySS GmbH, Vladimir Ivanov, Andrey Evlanin, Mikhail Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive Technologies, Matt Foster of Netcraft Ltd, Eva Esteban Molina of A2secure and Ammarit Thongthua (see [4]). E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXpF3hAAoJENmkv2o0rU2rJr0P/RYc3j268fzTLERUG5CvLKYV HNI1a4p2/Mg0lzc/n1/7aZOzX9eRQe0jVyFkv90/843IWCdofQU3aqLBwFSIsFZP C9Tv3JYpk4T68uzCIriqxqHgt+qza1evfmPTOP2RHua0iaOOQSohzY/cWo3Uc9Yj Qag+JmnwPWZJNzkL1i41F6oO6aKurM65XBtmAdKQVQwwJ1WYMpiM3vV71hIq18sO OSJOgKQQMAR/1U7UVd3IgFIUv4+2mdDPyEdlnzPiTtpmJvZQf8H3k9054auCWBWa U2WOesD5FsCS4nBmuvlTc+jALlqC2SRRgR1UpiEvXTYYunWrOFustGnj4fFvgg7S omtMdN8dnWdD6BXZXg2k/yVH0WToVWtwV0meKtSg9b0jOywKBVzoYO19vpchHaz4 /Eyxd8HQHpToM3OgwHagFXosF3TGxwQySPlDHdQD5gYANzDBhS8uQ02Gwx2v9NCX cC/jbTDUC0fa2qNJL/wwN7unqmrdOkGEYlvTjme6wlDR5axB46GunSH5yNg5OKFl G1s7lZ+ZbcywBxScLx1k7ITa1tNL3PNet5/Ld6A1hi3yhONmRgkyfgB+YqN04xaR 3b5U6eqnPfm8d52yVPa7zySVc1vN9mrQ87dCmnXWGE9xk++SXoeDLv3PbKrY65Iy w/x007duLbe7k/xSJ1Ip =/k7W -----END PGP SIGNATURE-----