Analytics Story: VMware Server Side Injection and Privilege Escalation

Description

Recently disclosed CVE-2022-22954 and CVE-2022-22960 have been identified in the wild abusing VMware products to compromise internet faced devices and escalate privileges.

Why it matters

On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. To further exacerbate this issue, VMware also disclosed a local privilege escalation issue, CVE-2022-22960, which permits the attacker to gain root after exploiting CVE-2022-22954. Products affected include - VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1 and VMware Identity Manager (vIDM) 3.3.3 - 3.3.6.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
VMware Server Side Template Injection Hunt Exploit Public-Facing Application, External Remote Services Hunting
VMware Workspace ONE Freemarker Server-side Template Injection Exploit Public-Facing Application, External Remote Services Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Palo Alto Network Threat Network icon Network pan:threat pan:threat

References


Source: GitHub | Version: 1