Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2022-31660

Disclosure Date: August 05, 2022
CVE-2022-31660 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. A malicious actor with local access can escalate privileges to ‘root’.

Add Assessment

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessVulnerable in default configuration
Technical Analysis

The VMware Workspace ONE Access, Identity Manager, and vRealize Automation products contain a locally exploitable vulnerability whereby the under-privileged horizon user can escalate their permissions to those of the root user. Notably, the horizon user runs the externally accessible web application. This means that remote code execution (RCE) within that component could be chained with this vulnerability to obtain remote code execution as the root user.

The vulnerability is due to the fact that the permissions on the file /opt/vmware/certproxy/bin/cert-proxy.sh are such that the horizon user is both the owner and has access to invoke this file.

To demonstrate and exploit this vulnerability, that file is overwritten, and then the following command is executed as the horizon user:

sudo /usr/local/horizon/scripts/certproxyService.sh restart

Note, that depending on the patch level of the system, the certproxyService.sh script may be located at an alternative path and require a slightly different command:

sudo /opt/vmware/certproxy/bin/certproxyService.sh restart

In both cases, the horizon user is able to invoke the certproxyService.sh script from sudo without a password. This can be verified by executing sudo -n --list. The certproxyService.sh script invokes the systemctl command to restart the service based on its configuration file. The service configuration file, located at /run/systemd/generator.late/vmware-certproxy.service, dispatches to /etc/rc.d/init.d/vmware-certproxy through the ExecStart and ExecStop directives, which in turn executes /opt/vmware/certproxy/bin/cert-proxy.sh.

The horizon user should not be the owner of or have write access to any executable files that run as root.

See the original disclosure for more information. This vulnerability has a public exploit in the form of a Metasploit module.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
VMware Workspace ONE Access, Identity Manager and vRealize Automation Workspace One Access (21.08.0.1 & 21.08.0.0), Identity Manager (vIDM) (3.3.6, 3.3.5 & 3.3.4), and vRealize Automation 7.6
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • vmware

Products

  • access connector 21.08.0.0,
  • access connector 21.08.0.1,
  • access connector 22.05,
  • identity manager 3.3.4,
  • identity manager 3.3.5,
  • identity manager 3.3.6,
  • identity manager connector 19.03.0.1,
  • identity manager connector 3.3.4,
  • identity manager connector 3.3.5,
  • identity manager connector 3.3.6,
  • one access 21.08.0.0,
  • one access 21.08.0.1

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis