top of page

Mitigating CVE-2022-22960: Addressing High-Severity Privilege Escalation in VMware Workspace ONE Access and Identity Manager

CVE Image for report on CVE-2022-22960

Executive Summary

CVE-2022-22960 is a high-severity privilege escalation vulnerability identified in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. This vulnerability, due to improper permissions in support scripts, allows a malicious actor with local access to escalate privileges to 'root'. The vulnerability has a CVSS v3.1 Base Score of 7.8, indicating its critical nature. It has been actively exploited in the wild, often in conjunction with other vulnerabilities, posing significant risks to enterprise environments.

Technical Information

CVE-2022-22960 is a privilege escalation vulnerability that affects several VMware products, including VMware Workspace ONE Access, Identity Manager, and vRealize Automation. The vulnerability arises from improper permissions in support scripts, which can be exploited by a malicious actor with local access to escalate privileges to 'root'. The vulnerability is identified by the CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that it requires local access but has a high impact on confidentiality, integrity, and availability.

The vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource). It was first published on April 13, 2022, and last modified on July 2, 2024. The affected products include VMware Workspace ONE Access, VMware Identity Manager (versions 3.3.3 to 3.3.6), VMware vRealize Automation (version 7.6), and VMware Cloud Foundation (versions 3.0 to 5.0).

The improper permissions in the support scripts allow a local attacker to execute arbitrary code with elevated privileges. This can lead to complete system compromise, allowing the attacker to install programs, view, change, or delete data, or create new accounts with full user rights.

Exploitation in the Wild

CVE-2022-22960 has been actively exploited in the wild. According to multiple sources, including CISA and Unit 42 by Palo Alto Networks, malicious cyber actors, likely advanced persistent threat (APT) groups, have been observed chaining CVE-2022-22960 with other vulnerabilities such as CVE-2022-22954 to gain unauthorized access and escalate privileges. The exploitation typically involves gaining initial access through another vulnerability and then using CVE-2022-22960 to escalate privileges to 'root'.

Indicators of Compromise (IOCs) for this vulnerability include unusual privilege escalation activities, creation of new user accounts with elevated privileges, and execution of unauthorized scripts or binaries. Organizations should monitor for these IOCs and implement detection rules to identify exploitation attempts.

APT Groups using this vulnerability

While specific APT groups exploiting CVE-2022-22960 have not been named, the tactics observed are consistent with those employed by groups targeting enterprise environments for espionage and data exfiltration. These groups often target sectors such as government, defense, and critical infrastructure in countries including the United States, United Kingdom, and Australia.

Affected Product Versions

The following products and versions are affected by CVE-2022-22960: VMware Workspace ONE Access VMware Identity Manager (versions 3.3.3 to 3.3.6) VMware vRealize Automation (version 7.6) VMware Cloud Foundation (versions 3.0 to 5.0)

Organizations using these products should prioritize patching to mitigate the risk of exploitation.

Workaround and Mitigation

To mitigate the risk of exploitation, organizations should apply the patches provided by VMware as per the advisory VMSA-2022-0011. In addition to patching, organizations should implement robust monitoring and detection mechanisms to identify unusual privilege escalation activities. Detection rules provided by SOC Prime and other security vendors can be used to detect exploitation attempts.

Access control measures should also be enforced to ensure that only authorized personnel have local access to critical systems. Regular reviews of permissions and access controls can help prevent unauthorized access and privilege escalation.

References

For more detailed information on CVE-2022-22960, please refer to the following resources: NVD: NVD CVE-2022-22960 VMware Advisory: VMSA-2022-0011 Packet Storm Security: VMware Workspace ONE Remote Code Execution and VMware Workspace ONE Access Privilege Escalation CISA Advisory: CISA AA22-138B Rapid7: Rapid7 CVE-2022-22960 Unit 42 by Palo Alto Networks: Unit 42 CVE-2022-22960

Rescana is here for you

At Rescana, we understand the critical importance of protecting your organization from emerging cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform helps you stay ahead of vulnerabilities like CVE-2022-22960 by providing real-time monitoring, threat intelligence, and automated remediation. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com. We are here to help you safeguard your digital assets and ensure the security of your enterprise.

1 view0 comments

Comments


bottom of page