1. Introduction
VMware Workspace ONE Access HTTP Detection indicates a VMware Workspace ONE Access server is running on your network. This solution, previously known as VMware Identity Manager, virtualises operating systems allowing multiple OSs to run on one host. A publicly accessible server presents an attack surface. Successful exploitation could lead to information disclosure and potential compromise of the system.
2. Technical Explanation
The vulnerability arises from a Workspace ONE Access server being reachable via HTTP, rather than HTTPS. This allows attackers to intercept sensitive data in transit. There is no known CVE associated with this specific detection; it’s considered a configuration issue. An attacker could use a man-in-the-middle attack to capture usernames, passwords and session cookies if the server handles authentication over HTTP.
- Root cause: The Workspace ONE Access service allows connections via unencrypted HTTP.
- Exploit mechanism: An attacker positions themselves between the user and the server, intercepting traffic sent over HTTP. Tools like Wireshark or Ettercap could be used to capture credentials.
- Scope: VMware Workspace ONE Access servers (formerly VMware Identity Manager) on all platforms are affected if configured to accept HTTP connections.
3. Detection and Assessment
Confirming the vulnerability involves checking whether the server accepts HTTP connections. A thorough assessment requires reviewing the service configuration.
- Quick checks: Use a web browser to access the Workspace ONE Access URL using both http:// and https:// protocols. If http:// works, the system is vulnerable.
- Scanning: Nessus plugin ID 16829 can identify HTTP-enabled VMware Identity Manager instances as an example.
- Logs and evidence: Review server logs for connections initiated over port 80 (HTTP). Specific log locations depend on the Workspace ONE Access deployment configuration.
curl -I http://your_workspace_one_access_url4. Solution / Remediation Steps
Fixing this issue requires redirecting all HTTP traffic to HTTPS.
4.1 Preparation
- Ensure you have administrator access to the Workspace ONE Access console. A roll back plan involves restoring from the pre-change snapshot or backup.
- A change window may be required depending on your organisation’s policies, and approval from a security team might be needed.
4.2 Implementation
- Step 1: Log in to the VMware Workspace ONE Access console as an administrator.
- Step 2: Navigate to System > Settings > Configuration.
- Step 3: Locate the “HTTP Redirection” setting and enable it.
- Step 4: Save the changes.
- Step 5: Restart the VMware Workspace ONE Access service.
4.3 Config or Code Example
Before
HTTP Redirection: DisabledAfter
HTTP Redirection: Enabled4.4 Security Practices Relevant to This Vulnerability
List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.
- Practice 1: Enforce HTTPS for all web applications to protect data in transit.
- Practice 2: Implement HTTP Strict Transport Security (HSTS) to prevent downgrade attacks.
4.5 Automation (Optional)
# Example PowerShell script to check HTTP redirection status (requires VMware PowerCLI module)
# This is an example only; adapt for your environment.
Connect-VIServer -Server your_vcenter_server -User your_username -Password your_password
Get-VMwareWorkspaceONEAccessSettings | Select-Object HttpRedirectionEnabled5. Verification / Validation
Confirm the fix by checking that HTTP connections are redirected to HTTPS.
- Post-fix check: Use a web browser and attempt to access the Workspace ONE Access URL using http://. The connection should automatically redirect to https://.
- Re-test: Repeat the quick check from Section 3; http:// should now fail to connect directly, or redirect immediately.
- Smoke test: Log in to Workspace ONE Access via HTTPS and verify that you can access all required applications and resources.
curl -I http://your_workspace_one_access_url # Should return a redirect response (301 or 302)6. Preventive Measures and Monitoring
Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.
- Baselines: Update your security baseline to require HTTPS for all web applications.
- Pipelines: Include checks in your CI/CD pipeline to ensure new deployments do not enable HTTP connections on sensitive services.
- Asset and patch process: Review configuration settings during regular asset audits or vulnerability scans.
7. Risks, Side Effects, and Roll Back
- Risk or side effect 2: Compatibility issues with older clients that do not support HTTPS. Test with representative client configurations.
- Roll back: 1) Log in to the VMware Workspace ONE Access console as an administrator. 2) Navigate to System > Settings > Configuration. 3) Disable HTTP Redirection. 4) Save changes and restart the service.
8. References and Resources
- Vendor advisory or bulletin: https://docs.vmware.com/en/Workspace-ONE-Access/index.html
- NVD or CVE entry: Not applicable for this configuration issue.
- Product or platform documentation relevant to the fix: https://docs.vmware.com/en/Workspace-ONE-Access/admin/config-http-redirection.html