Attacker Value

High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2022-22956

Disclosure Date: April 13, 2022 •

CVE-2022-22956 CVSS v3 Base Score: 9.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

exploit/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain

Description

VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.

Add Assessment

jheysel-r7 (164)

April 11, 2023 6:26pm UTC (1 year ago)•

Ratings

Attacker Value

High

Exploitability

Very High

Common in enterprise Easy to weaponize Unauthenticated Vulnerable in default configuration

Technical Analysis

This vulnerability is an authentication bypass in VMware Workspace ONE and related products. The list of affected products and corresponding versions are:

Vulnerable Application	Vulnerable version
VMware Workspace ONE Access (Access)	21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
VMware Identity Manager (vIDM)	3.3.6, 3.3.5, 3.3.4, 3.3.3
VMware vRealize Automation (vRA)	8.x, 7.6
VMware Cloud Foundation	4.x

Reasoning for Exploitability & Attacker Value ratings:

This vulnerability was bundled in VMSA-2022-0011 along with 8 other CVEs. Out of all the CVEs in this advisory CVE-2022-22954 really stole the show as it was an unauthenticated remote code execution vulnerability. Not as many paid much mind to this CVE + CVE-2022-22957 (authenticated RCE) which when combined together with CVE-2022-22960 (LPE) gives attackers yet another exploitation path to unauthenticated remote code execution in the context of the root user.

How it works:

The vulnerability lies in the fact that vulnerable VMware Workspace ONE Access versions shipped with two different default OAuth2 clients. By navigating to https://photon-machine/SAAS/admin/settings/manage/manageOAuthClients/ on a vulnerable instance under Remote App Access users can see two separate Client IDs which are enabled by default to receive User Access Tokens in the scope of “system, admin”:

CLIENT ID	SCOPE	ACCESS TYPE	STATUS
acs	system,admin	User Access Token	Enabled
Service__OAuth2Client	system,admin	User Access Token	Enabled

The auth by-pass works by abusing com.vmware.horizon.rest.controller.oauth2.OAuth2TokenResourceController which has two exposed endpoints: /generateActivationToken/{id} and /activate . The first will generate an activation code for an existing oauth2 client (which we know two exist by default) and the second will activate the device oauth2 client by exchanging the activation code for a client ID and secret.

Then the attacker can exchange the client_id and client_secret for an OAuth2 token and viola, the attacker has completely by-passed VMware’s authentication mechanism.

References:

https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html#dbconnectioncheckcontroller-dbcheck-jdbc-injection-remote-code-execution

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

vmware

Products

identity manager 3.3.3,
identity manager 3.3.4,
identity manager 3.3.5,
identity manager 3.3.6,
vrealize automation,
vrealize automation 7.6,
workspace one access 20.10.0.0,
workspace one access 20.10.0.1,
workspace one access 21.08.0.0,
workspace one access 21.08.0.1

Metasploit Modules

exploit/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain.rb)

References

Canonical

CVE-2022-22956 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22956)

Miscellaneous

https://www.vmware.com/security/advisories/VMSA-2022-0011.html

http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html

http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html

Rapid7

High

CVE-2022-22956

High

Very High

None

None

Network

CVE-2022-22956

Description

Add Assessment

Ratings

Technical Analysis

Reasoning for Exploitability & Attacker Value ratings:

How it works:

References:

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

High

CVE-2022-22956

High

Very High

None

None

Network

CVE-2022-22956

Description

Add Assessment

Ratings

Technical Analysis

Reasoning for Exploitability & Attacker Value ratings:

How it works:

References:

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification