Vulnerabilities CVE-2022-22972 and CVE-2022-22973 are newly released vulnerabilities that have the capability to be actively exploited by threat actors.
VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
It is expected that threat actors may chain these vulnerabilities, and successful exploitation may lead to root access, escalate permissions, let the actor move laterally, and also wipe logs.
Snort Signatures for similar vulnerabilities (CVE-2022-22954) is:
alert tcp any any -> any $HTTP_PORTS (msg:”VMware:HTTP GET URI contains ‘/catalog-portal/ui/oauth/verify?error=&deviceUdid=’:CVE-2022-22954″; sid:1; rev:1; flow:established,to_server; content: “GET”; http_method; content:”/catalog-portal/ui/oauth/verify?error=&deviceUdid=”; http_uri; reference:cve,2022-22954; reference:url,github.com/sherlocksecurity/VMware-CVE-2022-22954; reference:url,github.com/tunelko/CVE-2022-22954-PoC/blob/main/CVE-2022- 22954.py; priority:2; metadata:service http;)
A third-party Snort signature may also help detect exploitation of VMware Workspace ONE Access server-side template injection:
10000001alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”Workspace One Serverside Template Injection”;content:”GET”; http_method; content:”freemarker.template.utility.Execute”;nocase; http_uri; priority:1; sid:;rev:1;)
For the detection of unmodified instances on infected hosts of the Dingo J-spy webshells, refer to the following YARA rule:
$string1 = “dingo.length”
$string2 = “command = command.trim”
$string3 = “commandAction”
$string4 = “PortScan”
$string5 = “InetAddress.getLocalHost”
$string6 = “DatabaseManager”
$string7 = “ExecuteCommand”
$string8 = “var command = form.command.value”
$string9 = “dingody.iteye.com”
$string10 = “J-Spy ver”
$string11 = “no permission ,die”
$string12 = “int iPort = Integer.parseInt”
filesize < 50KB and 12 of ($string*)
Patch Deployment Procedure
1. log in as sshuser, sudo to root-level access.
2. Download and transfer HW-156875-Appliance-<Version>.zip to the virtual appliance. This .zip file can be saved anywhere on the file system. VMware recommends SCP protocol to transfer the file to the appliance. Tools such as WinSCP can also be used to transfer the file to the appliance.
3. Unzip the file using the command below.
4. Navigate to the files within the unzipped folder using the command below.
5. Run the patch script using the command below
Patch Deployment Validations:
Change of Workspace ONE Access/VMware Identity Manager to a Load Balancer FQDN may fail with a “HTTP GET call returned 444” error. Follow these steps to fix this error