Researchers at Assetnote reported finding a vulnerability in VMWare Workspace One UEM. ("VMware headquarters" by Ferran Rodenas is licensed under CC BY-NC-SA 2.0)

In conducting audits on VMWare Workspace One UEM, the popular mobile device management software, researchers last week reported they found a pre-authentication vulnerability that let them make arbitrary HTTP requests, including requests with any HTTP method and request body.

In a blog post by Assetnote said to exploit this server side request forgery (SSRF), the researchers wrote they had to reverse engineer the encryption algorithm used by Workspace One UEM.

Through this vulnerability, the researchers said they could breach a number of its customers through its Attack Surface Management Platform, as well as numerous Fortune 500 companies through bug bounty programs.

As companies increasingly move to the cloud, these resources are exposed to the internet at large, said John Bambenek, principal threat hunter at Netenrich.

“Vulnerabilities like this aren’t good, however, typically VMWare in an on-prem scenario operates inside the corporate datacenter,” Bambenek said. “The patch has been available for months, so organizations should already be well protected.”

Garret Grajek, CEO at YouAttest, said that the key here is the pre-authentication. Grajek said there’s often a false sense of security that occurs when an enterprise implements two-factor authentication (2FA).

“There’s no question that two-factor is a huge help in combatting cyber-attacks — especially identity attacks,” Grajek said. “But not all attacks can be addressed through 2FA. An enterprise still needs a complete program of cyber hygiene including identity governance that triggers on identity privilege changes and a system that can detect anomalous identity, application, and network events."

Bud Broomhead, CEO at Viakoo, said whether it’s through the public cloud, use of open source software, or large-scale deployment of IoT devices, organizations have a vastly expanded attack surface landscape to defend. Broomhead said while VMware was prompt in delivering a patch to remediate this vulnerability, organizations must quickly react when a high-severity vulnerability is announced. 

“The ability to breach large numbers of organizations is a goal for many threat actors," Broomhead said. “Cloud-based solutions offer tremendous efficiencies for organizations, but also gives threat actors efficiencies in the form of being able to perform exploits more easily and at scale through cloud-hosted solutions.”