Thousands of VMware customers publicly exposed to pre-auth RCE as exploit reproduced

VMware Cloud Foundation, NSX-T, vRealize Suite, VMware Cloud suites, vRealize Automation, vRealize Log Insight all...

Updated with confirmation of exploit reproduction by Positive Technologies

He's at it again: Arguably one of the world's most talented offensive security researchers, Steven Seeley, has reported five critical VMware vulnerabilities that give pre-authentication remote code execution (RCE). The virtualisation heavyweight has now pushed out patches that one staffer described as its most urgent since Log4j.

It took less than 24 hours from VMware's patch release for security researchers at Positive Technologies to reproduce one of the pre-auth RCEs (a server-side template injection vulnerability allocated CVE-2022-22954.)

Malicious actors are likely to rapidly follow with exploits in the absence of patching or mitigation.

The bugs affect VMware Workspace ONE Access or any product that includes VMware Identity Manager (vIDM) components and work in default configurations; even VMware Cloud Foundation was affected.

"The ramifications of this vulnerability are serious" VMware warned late Wednesday. For two of the vulnerabilities (CVE-2022-22955, CVE-2022-22956) "a malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework" it warned, while for CVE-2022-22954 an attacker just needs "network access" (i.e. seemingly simply an internet-exposed endpoint...)

Seeley told The Stack via DM that ~1,000 VMware instances were showing up as publicly exposed, adding: "This is a system that holds the keys - it manages user access and identity which means if this is comprised, then an attacker can very easily pivot the attack further by obtaining those keys" adding "the template injection bug is not too complex, exploitation [is] very likely soon... other chain is a fair bit [more] complex..."

(That number doesn't account for live instances exposed via VMware cloud. Several major US companies are believed to be/have been exposed to the vulnerability with security teams scrambling to mitigate risk.)

See also: VMware pulls purple death screen crash update

https://twitter.com/ptswarm/status/1512083327884271619

Three of the new VMware vulnerabilities have a CVSS score of 9.8, two are ranked 9.1. VMware Security Advisory VMSA-2022-0011 also includes two "important" CVEs and one "moderate". While none are reported to be under active exploitation, threat researchers will no doubt be reverse engineering the patches in a bid to weaponise the vulnerabilities -- something that increasingly happens within days, public authorities say.

All critical VMware vulnerabilities were reported to the company by Seeley, aka mr_me, whose prolific zero day-hunting is documented here. (The security researcher in 2020 famously reported 120+ vulnerabilities including several pre-authentication RCEs in Cisco Data Center Network Manager after an unsuccessful eight-round interview process with Cisco Talos. He currently works for Qihoo 360 Vulnerability Research Institute.)

Affected ProductsVersion(s)  
VMware Workspace ONE Access Appliance  21.08.0.1   
VMware Workspace ONE Access Appliance  21.08.0.0 
VMware Workspace ONE Access Appliance  20.10.0.1   
VMware Workspace ONE Access Appliance  20.10.0.0   
VMware Identity Manager Appliance 3.3.6 
VMware Identity Manager Appliance 3.3.5 
VMware Identity Manager Appliance 3.3.4 
VMware Identity Manager Appliance 3.3.3 
VMware Realize Automation 7.6  

New critical VMware vulnerabilities: Workspace ONE exposed

VMware said that those affected include customers who have deployed Workspace ONE Access or any product that includes VMware Identity Manager (vIDM) components, or as an option for installation.

"This includes VMware Cloud Foundation, NSX-T, the VMware vRealize Suite, the VMware Cloud suites, vRealize Automation, vRealize Log Insight, and vRealize Network Insight" it added in an advisory.

The critical VMware vulnerabilities include a server-side template injection RCE vulnerability allocated CVE-2022-22954, two OAuth2 ACS authentication bypass vulnerabilities (CVE-2022-22955 and CVE-2022-22956), and two JDBC injection RCE vulnerabilities (CVE-2022-22957, CVE-2022-22958). Mitigations as below:

critical VMware vulnerabilities

A workaround for Workspace ONE Access Appliance (VMware Identity Manager) is as follows:

  1. Login as sshuser, sudo to root level access.
  2. Download and transfer the HW-154129-applyWorkaround.py script to the virtual appliance. VMware recommends SCP protocol to transfer the file to the appliance. Tools such as winscp can also be used to transfer the file to the appliance.
  3. Navigate to the downloaded file path using the "cd" command.
  4. Run the Python script using the command below

python3 HW-154129-applyWorkaround.py

Procedure to revert the Workaround:

  1. Login as sshuser, sudo to root level access.
  2. Download and transfer the HW-154129-revertWorkaround.py script to the virtual appliance. VMware recommends SCP protocol to transfer the file to the appliance. Tools such as winscp can also be used to transfer the file to the appliance.
  3. Navigate to the downloaded file path using the "cd" command.
  4. Run the Python script using the command below

python3 HW-154129-revertWorkaround.py

Workaround instructions for vRA 7.6

Please use the HW-154129-applyWorkaround-vRA-76.py and HW-154129-revertWorkaround-vRA-76.py scripts. To apply/revert vRA 7.6 workaround below are the commands.

Apply: /usr/lib/health-broker/python/bin/python3 HW-154129-applyWorkaround-vRA-76.py
Revert: /usr/lib/health-broker/python/bin/python3 HW-154129-revertWorkaround-vRA-76.py

Workaround Deployment Validations:

After the workaround deployment, perform below steps to confirm workaround is applied successfully.

  • Verify the Workspace ONE access appliance configuration webpages running on port 8443 ( https://{FQDN}:8443/cfg/) are blocked.

> Follow The Stack on LinkedIn <