Rewterz Threat Update – Unpatched VMware Vulnerabilities Actively Exploited by Threat Actors

Severity

High

Analysis Summary

Vulnerabilities CVE-2022-22972 and CVE-2022-22973 are newly released vulnerabilities that have the capability to be actively exploited by threat actors.

CVE-2022-22972 CVSS:9.8

VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

CVE-2022-22973 CVSS:7.8

VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

It is expected that threat actors may chain these vulnerabilities, and successful exploitation may lead to root access, escalate permissions, let the actor move laterally, and also wipe logs.

Snort Signatures for similar vulnerabilities (CVE-2022-22954) is:

alert tcp any any -> any $HTTP_PORTS (msg:”VMware:HTTP GET URI contains ‘/catalog-portal/ui/oauth/verify?error=&deviceUdid=’:CVE-2022-22954″; sid:1; rev:1; flow:established,to_server; content: “GET”; http_method; content:”/catalog-portal/ui/oauth/verify?error=&deviceUdid=”; http_uri; reference:cve,2022-22954; reference:url,github.com/sherlocksecurity/VMware-CVE-2022-22954; reference:url,github.com/tunelko/CVE-2022-22954-PoC/blob/main/CVE-2022- 22954.py; priority:2; metadata:service http;)

A third-party Snort signature may also help detect exploitation of VMware Workspace ONE Access server-side template injection:

10000001alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”Workspace One Serverside Template Injection”;content:”GET”; http_method; content:”freemarker.template.utility.Execute”;nocase; http_uri; priority:1; sid:;rev:1;)

For the detection of unmodified instances on infected hosts of the Dingo J-spy webshells, refer to the following YARA rule:

rule dingo_jspy_webshell

{

strings:

$string1 = “dingo.length”

$string2 = “command = command.trim”

$string3 = “commandAction”

$string4 = “PortScan”

$string5 = “InetAddress.getLocalHost”

$string6 = “DatabaseManager”

$string7 = “ExecuteCommand”

$string8 = “var command = form.command.value”

$string9 = “dingody.iteye.com”

$string10 = “J-Spy ver”

$string11 = “no permission ,die”

$string12 = “int iPort = Integer.parseInt”

condition:

filesize < 50KB and 12 of ($string*)

}

Affected Vendors

• VMware

Affected Products

• VMware Identity Manager Appliance 3.3.3 to 3.3.6
• VMware Workspace ONE Access Appliance 20.10.0.0 to 21.08.0.1

Impact

• Privilege Escalation
• Security Bypass

Remediation

• Isolate the affected systems.
• Collect and review data, artifacts, and relevant logs.
• Patch the vulnerability as soon as possible from here.

Patch Deployment Procedure 

1. log in as sshuser, sudo to root-level access.

2. Download and transfer HW-156875-Appliance-<Version>.zip to the virtual appliance. This .zip file can be saved anywhere on the file system. VMware recommends SCP protocol to transfer the file to the appliance. Tools such as WinSCP can also be used to transfer the file to the appliance.

3. Unzip the file using the command below.

unzip HW-156875-Appliance-<Version>.zip 

4. Navigate to the files within the unzipped folder using the command below.

cd HW-156875-Appliance-<Version>

5. Run the patch script using the command below

./HW-156875-apply patch.sh

Patch Deployment Validations:

• Login as an Administrator to the Workspace ONE Access Console and verify the System Diagnostics page is green. 
• If the patch is applied successfully you can find a flag file created as HW-156875-<version-number>-hotfix.applied (ex: HW-156875-21.08.0.1-hotfix.applied) in /usr/local/horizon/conf/flags directory. 

Change of Workspace ONE Access/VMware Identity Manager to a Load Balancer FQDN may fail with a “HTTP GET call returned 444” error. Follow these steps to fix this error

1. Using an SSH client, log in to the?Workspace ONE Access/VMware Identity Manager?appliance as the root user.
2. Open the?/usr/local/horizon/conf/runtime-config.properties?file using an editor such as vi 
3. Change the value of the gateway. hostname property to the new FQDN
4. Restart the Tomcat service using the command “service horizon-workspace restart 
5. Change FQDN from UI using the documented procedure