Exploit Log4j mitigate on VMware Unified Access Gateway

## UPDATE 20/12/2021 ##

On December 14, 2021 the Apache Software Foundation notified the community that their initial guidance for CVE-2021-44228 workarounds was not sufficient. We believed the previous instructions in this article to be an effective mitigation for CVE-2021-44228, but in the best interest of our customers, we must assume the earlier workaround may not adequately address all attack vectors. 

We need to run a script:

#!/bin/bash

# Log contents to file by prefixing timestamp. Maximum file size is 50MB
function log_to_console() {
    echo "$(date +'%Y-%m-%d %T')" "$HOSTNAME" "$@"
}

log_to_console "Running script to remove JndiLookup.class from jars in Unified Access Gateway"

log_to_console "UAG Version: " $(tail -1 /opt/vmware/gateway/logs/version.info 2>/dev/null)

mkdir /tmp/test
mkdir /tmp/bkp

log_to_console "Unpacking archive and removing JndiLookup.class"
cp /opt/vmware/gateway/lib/ab-frontend-0.2.jar /tmp/bkp

unzip -q -o /opt/vmware/gateway/lib/ab-frontend-0.2.jar -d /tmp/test

unzip -q -o /tmp/test/hc.war -d /tmp/test/hc

zip -dq /tmp/test/hc/WEB-INF/lib/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

rm /tmp/test/hc.war
cd /tmp/test/hc

zip -r -q ../hc.war .

cd ..
rm -rf hc

log_to_console "Repackaging archive"

zip -r -q ab-frontend-0.2.jar .

chown gateway:users ab-frontend-0.2.jar
mv ab-frontend-0.2.jar /opt/vmware/gateway/lib

log_to_console "Replaced updated ab-frontend-0.2.jar, now looking for jndi in other places"

find / -type f \( -name "*.jar" -o -name *.war \) -exec sh -c "zipinfo -1 {} 2>/dev/null | grep 'JndiLookup.class' && echo {}" \; | grep .jar | while read -r line ; do
    jar_path=$line
    log_to_console "Updating $jar_path"
    zip -dq $jar_path org/apache/logging/log4j/core/lookup/JndiLookup.class
    chown gateway:users $jar_path
done


log_to_console "Restarting authbroker"
supervisorctl restart authbroker

log_to_console "Cleaning up."
cd /tmp
rm -rf /tmp/test

log_to_console "Verification: We are good if no jars are listed below"
find / -type f \( -name "*.jar" -o -name *.war \) -exec sh -c "zipinfo -1 {} 2>/dev/null | grep 'JndiLookup.class' && echo {}" \;

log_to_console "Verification: Grep authbroker-std-out.log for log4j errors, we are good if no exception is displayed below"
cat /opt/vmware/gateway/logs/authbroker-std-out.log | grep log4j

log_to_console "Done!"

Well we need to connect to UAG and create a uag_rm_log4j_jndilookup.sh file

vi uag_rm_log4j_jndilookup.sh

copy into the file the code, and enable it for execution

chmod +x uag_rm_log4j_jndilookup.sh

running the script

./uag_rm_log4j_jndilookup.sh

now if the UAG version is between 2009 and 2111 it is also necessary to set the -Dlog4j2.formatMsgNoLookups=true option on the authbroker service with the following commands. Note the space between “s/java /java”  and a space after “true /” in the command, these are important to ensure the command works correctly and doesn’t attempt to modify the wrong lines in the configuration file.

sed -i ‘s/java /java -Dlog4j2.formatMsgNoLookups=true /’ /opt/vmware/gateway/supervisor/conf/authbroker.ini

and restart the supervisorctl

supervisorctl update

more info in this VMware KB

Mitigation instructions to address CVE-2021-44228 and CVE-2021-45046 in VMware Unified Access Gateway (UAG) (87092)

#########################

In the middle of December month, we found a “little exploit”……

Ok it is not a joke, for mitigate on UAG (Unified Access Gateway that is a Security Server exposed on the Internet for remote access at Horizon infrastructure) it is necessary (To apply the workaround for CVE-2021-44228 to Unified Access Gateway version 2009 through to 2111):

  • Connect to UAG server with SSH Session

Check if SSH is enabled on UAG server to accept root connection.

Connect from WEB console or VMware Remote Console to UAG virtual appliance and modify in /etc/ssh/sshd_config the following line (for modify use vi commands):

PermitRootLogin no

to

PermitRootLogin yes

Save the file

Restart SSHD service with this command:

service sshd restart

now you are able to create an SSH connection to UAG server, REMEMBER TO DISABLE SSH CONNECTION FOR ROOT USER WITH ROLLBACK THE SETTING INTO SSHD_CONFIG FILE

  • Append the fix -Dlog4j2.formatMsgNoLookups=true

Type this command:

sed -i ‘s/java /java -Dlog4j2.formatMsgNoLookups=true /’ /opt/vmware/gateway/supervisor/conf/authbroker.ini

Reload the service

supervisorctl update

Check if the fix is applied with this command:

ps -ef | grep ab-frontend

the output of the command should need:

root@viuag03 [ ~ ]# ps -ef | grep ab-frontend
gateway 2799 849 99 09:51 ? 00:00:12 /usr/lib/jvm/zre-8/bin/java -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF8 -Dport=8877 -Dlog4j.configuration=file:/opt/vmware/gateway/conf/log4j-authbroker.properties -Dspring.profiles.active=accesspoint -jar /opt/vmware/gateway/lib/ab-frontend-0.2.jar
root 2817 2622 0 09:51 pts/0 00:00:00 grep –color=auto ab-frontend

Ref: Workaround instructions to address CVE-2021-44228 in VMware Unified Access Gateway (87092)

Exploit Log4j mitigate on VMware Unified Access Gateway

Azure MFA, UAG, Horizon and TRUE SSO – Step 5

Import XML on Horizon Connection Servers and configure it

Now we import the XML content in to all Horizon Connection Server, for all server on

Select Edit and after authentication

Select in delegation of authentication ….. the value ALLOWED open

and a new authenticator

Static

Name type Azure

And copy the content of XML file  on the SAML Metadata

Enable truesso for Horizon Authentication method

On a Connection server enable the TRUESSO for a Authentication Method

vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –authenticator –edit –name authenticator-fqdn –truessoMode {ENABLED|ALWAYS}

vdmUtil –authAs administrator –authDomain pollaio –authPassword 121212121 –truesso –authenticator –edit –name azure  –truessoMode ENABLED

And now the configuration is done.

Thank You

Fabio Storni fabio1975@gmail.com

REFERENCE

Tutorial: Azure Active Directory single sign-on (SSO) integration with VMware Horizon – Unified Access Gateway | Microsoft Docs

Setting Up True SSO (vmware.com)

Azure MFA, UAG, Horizon and TRUE SSO – Step 5

Azure MFA, UAG, Horizon and TRUE SSO – Step 4

Configure a enterprise application on Azure AD, configure it and export XML

Insert:

 Identifier  -> https://<public-FQDN-UAG>/portal

Reply URL -> https://<public-FQDN-UAG>/portal/samlsso

Sign on URL -> https://<public-FQDN-UAG>/portal/samlsso

Download the  XML

Assign Users or Groups permission to Enterprise application

Import XML on UAG and configure it

Import Identity Provider Metadata, select the file XML downloaded from the Enterprise Application data

Select the identity provider

 Select More Option

And select SAML e the correct Identity provider (with SAML+PASSTROUGHT the identity token  will not passed to horizon Server and it will required a new autentication)

Azure MFA, UAG, Horizon and TRUE SSO – Step 4

Azure MFA, UAG, Horizon and TRUE SSO – Step 3

Export Horizon Enrollment Certificate from Horizon installation and install it in to Enrollment Horizon Server

Connect to Horizon Server and export the Horizon View Certificate  (The certificate with  vdm.ec friendly name)

Now we import the enrollment certificate in to Horizon Enrollment server,  we need import in to Certificate Computer store and add the friwndly name vdm.ec

Configure TrueSSO on Horizon Connection Server

Configure Enrollement server

vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –environment –add –enrollmentServer enroll-server-fqdn

vdmUtil –authAs administrator –authDomain pollaio –authPassword qwerty1234567890! –truesso –environment –add –enrollmentServer Enroll.pollaio.lan

Verifica le informazioni

vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –environment –list –enrollmentServer enroll-server-fqdn –domain domain-fqdn

vdmUtil –authAs administrator –authDomain pollaio –authPassword qwerty1234567890! –truesso –environment –list –enrollmentServer Enroll.pollaio.lan –domain pollaio.lan

Creare la connessione per il true sso

vdmUtil –authAs admin-role-user –authDomain domain-name –authPassword admin-user-password –truesso –create –connector –domain domain-fqdn –template TrueSSO-template-name –primaryEnrollmentServer enroll-server-fqdn –certificateServer ca-common-name –mode enabled

vdmUtil –authAs administrator –authDomain pollaio –authPassword qwerty1234567890! –truesso –create –connector –domain pollaio.lan –template TRUESSOHORIZON  –primaryEnrollmentServer enroll.pollaio.lan –certificateServer pollaio-NPSSRV-CA  –mode enabled

Verify from the Horizon Connection server dashboard thee TrueSSO status, if it is all green the trueSSO is Ready

Azure MFA, UAG, Horizon and TRUE SSO – Step 3

Integrazione VMware Unified Access Gateway con autenticazione Azure MFA

 Per procedere all’integrazione  con Azure MFA è necessario eseguire delle configurazioni su Azure Active Directory  (non entrerò nel dettaglio di queste configurazioni) ma per procedere nell’abilitazione dell’autenticazione a più fattori sull’UAG è necessario accedere all’Enterprise Application creata e scarica il file XML con i metadata. Inoltre verificare che nella Basic SAML Configuration ci siano i riferimenti alla mia infrastruttura UAG pubblica.

 

Scarico il file XML con i metadata da utilizzare per configurare l’UAG

Importo il file XML nella infrastruttura UAG nelle configurazioni manuali in Identity Bridging Settings

 

Importo il file XML contenente i metadata selezionado Select

 

Una volta caricato sull’UAG il file XML con i metadata vado negli edge service settings ed entro nei nelle configurazioni

E configuro l’Auth Methods e l’identity Provider (che mi compare in automatico dopo aver caricato il file XML)

 

A questo punto posso procedere ad accedere e testare l’accesso con MFA.

Integrazione VMware Unified Access Gateway con autenticazione Azure MFA