top of page

Critical RCE Vulnerability in VMware Workspace ONE Access: CVE-2022-22954 Analysis

CVE Image for report on CVE-2022-22954

Executive Summary

CVE-2022-22954 is a critical remote code execution (RCE) vulnerability identified in VMware Workspace ONE Access and Identity Manager. This vulnerability, stemming from a server-side template injection flaw, allows malicious actors with network access to execute arbitrary code on the affected systems. With a CVSSv3 base score of 9.8, this vulnerability is of high severity and has been actively exploited in the wild. The sectors and countries targeted by Advanced Persistent Threat (APT) groups leveraging this vulnerability include critical infrastructure, government, and financial sectors across North America, Europe, and Asia.

Technical Information

CVE-2022-22954 is a critical vulnerability in VMware Workspace ONE Access and Identity Manager. The flaw arises from a server-side template injection vulnerability, which can be exploited by a malicious actor with network access to execute arbitrary code on the affected system. The vulnerability has a CVSSv3 base score of 9.8, indicating its high severity. The vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which means it is network exploitable, requires low attack complexity, does not require privileges, and does not require user interaction.

The affected products include VMware Workspace ONE Access (versions 20.10.0.0, 21.08.0.0, 21.08.0.1, 21.08.0.2), VMware Identity Manager (versions 3.3.3, 3.3.4, 3.3.5, 3.3.6), VMware vRealize Automation (versions 7.6, 8.0 to 8.6), VMware Cloud Foundation (versions 4.0 to 4.3.1), and VMware vRealize Suite Lifecycle Manager (versions 8.0 to 8.2).

The vulnerability allows an attacker to trigger a server-side template injection, leading to remote code execution. This can result in the attacker gaining control over the affected system, potentially leading to data breaches, system compromise, and further exploitation.

Exploitation in the Wild

The CVE-2022-22954 vulnerability has been actively exploited in the wild. Threat actors have been observed leveraging this vulnerability to gain initial access to target systems. Once access is gained, attackers often deploy additional payloads to further exploit the compromised systems. Notably, this vulnerability has been used in conjunction with other vulnerabilities to form sophisticated attack chains.

Specific instances of exploitation have been documented by various cybersecurity firms. Rapid7 reported widespread exploitation of this vulnerability, highlighting its critical nature (https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/). Palo Alto Networks Unit 42 also provided a detailed threat brief on the exploitation of VMware vulnerabilities, including CVE-2022-22954 (https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/). Additionally, CISA issued an advisory on threat actors chaining unpatched VMware vulnerabilities, emphasizing the need for immediate patching (https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b).

APT Groups using this vulnerability

While specific APT groups exploiting CVE-2022-22954 have not been publicly disclosed, the nature of the vulnerability and its active exploitation suggest that it could be leveraged by advanced persistent threat (APT) groups. These groups often target critical infrastructure, government, and financial sectors across North America, Europe, and Asia. The exploitation of this vulnerability by APT groups could lead to significant data breaches, system compromises, and further exploitation.

Affected Product Versions

The products affected by CVE-2022-22954 include VMware Workspace ONE Access (versions 20.10.0.0, 21.08.0.0, 21.08.0.1, 21.08.0.2), VMware Identity Manager (versions 3.3.3, 3.3.4, 3.3.5, 3.3.6), VMware vRealize Automation (versions 7.6, 8.0 to 8.6), VMware Cloud Foundation (versions 4.0 to 4.3.1), and VMware vRealize Suite Lifecycle Manager (versions 8.0 to 8.2).

Workaround and Mitigation

To mitigate the risk of exploitation, it is crucial to apply the patches released by VMware. The VMware advisory VMSA-2022-0011 provides detailed information on the patches available for the affected products (https://www.vmware.com/security/advisories/VMSA-2022-0011.html). Additionally, implementing network segmentation can help limit the exposure of vulnerable systems to potential attackers. Regularly monitoring network traffic and system logs for signs of exploitation attempts and other suspicious activities is also recommended.

References

For further reading and detailed information on CVE-2022-22954, please refer to the following resources:

  • NVD - CVE-2022-22954 (https://nvd.nist.gov/vuln/detail/cve-2022-22954)
  • VMware Security Advisory VMSA-2022-0011 (https://www.vmware.com/security/advisories/VMSA-2022-0011.html)
  • Rapid7 Blog on CVE-2022-22954 (https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/)
  • Palo Alto Networks Unit 42 Threat Brief (https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/)
  • CISA Advisory on VMware Vulnerabilities (https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b)
  • CrowdSec Blog on Exploit Attempts (https://www.crowdsec.net/blog/new-surge-in-vmware-cve-2022-22954-exploit-attempts)
  • GitHub PoC for CVE-2022-22954 (https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC)

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive monitoring, detection, and mitigation strategies to protect your systems from vulnerabilities like CVE-2022-22954. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.

1 view0 comments

Σχόλια


bottom of page