CVE-2022-22954 VMware – Executive Summary
VMware released a security advisory on April 6, 2022, which highlighted eight vulnerabilities, such as CVE-2022-22954 and CVE-2022-22960. These vulnerabilities affected VMware products like vRealize Automation, Workspace ONE Access, and Identity Manager. On April 13, ...
CVE-2022-22954 VMware – Executive Summary
VMware released a security advisory on April 6, 2022, which highlighted eight vulnerabilities, such as CVE-2022-22954 and CVE-2022-22960. These vulnerabilities affected VMware products like vRealize Automation, Workspace ONE Access, and Identity Manager. On April 13, VMware updated the advisory to reveal that CVE-2022-22954 was being exploited in the wild.
CVE-2022-22954 VMware WorkSpace and Identity Manager Template Injection
VMware Workspace ONE Access, which was formerly Identity Manager, is vulnerable to a Server-Side Template Injection vulnerability identified as CVE-2022-22954. This vulnerability was actively exploited in 2022 and has also been employed by loader stages of malware like Mirai to download more malware onto an infiltrated web server.
An SSTI vulnerability exists when a web application allows a user to input data into the web application, which eventually becomes part of a back-end template used to generate dynamic content for the web site. It has been noticed of late that a good number of web applications receive user input without any sanitization and use it in the construction of the template that is used to construct the dynamic web content. This sometimes leads to the unintended execution of the user provided content, which leads to code execution on the server side and eventual server take-over.
The URI path /catalog-portal/ui/oauth/verify?error=&deviceUdid= is vulnerable to a template injection attack. The Freemaker Java Template Engine provides a Class named Execute which allows execution of externally provided commands. It is this vulnerability that’s exploited in the wild and identified as CVE-2022-22954. A request as shown below will lead to the execution of “cat /etc/passwd” on the target system.
GET http://(Server)/${“freemarker.template.utility.Execute”?new()(“cat /etc/passwd”)}
The “Execute” Class is invoked remotely and the command “cat /etc/passwd” executes locally on the web server. This command could be replaced with any command that would allow the attacker to achieve their objective, which could be downloading and executing more malware employing curl, privilege escalation exploit using CVE-2022-22960 or another CVE, etc. There have also been reports of CVE-2022-22954 being used to upload webshells, like Dingo J-spy onto infiltrated hosts. Due to the severe nature of the vulnerability and its active exploitation customers are advised to follow the advisories published by VMware to address this vulnerability.
Vehere Network Detection and Response: Protection Against Threat’s Past and Present
Vehere’s research wing, Moon Treader, actively researches new vulnerabilities and malware outbreaks in order to improve the detection efficacy of its NDR solution. Vehere NDR’s Rule Engine is constantly updated to detect threats like the one discussed in this blog.
In addition to a comprehensive Rule Set that guides the Rule Engine in detecting attacks and behavior anomalies, the NDR’s ML engines are trained to detect behavioral anomalies in customer networks. This, combined with a comprehensive set of NDR enhancements to detect lateral movement activity in a network, enables customers to get a holistic view of any violation of their computing assets and deter the progress of the attack.