CVE-2022-22960
📋 TL;DR
This vulnerability allows a malicious actor with local access to VMware Workspace ONE Access, Identity Manager, or vRealize Automation systems to escalate privileges to root due to improper permissions in support scripts. Organizations using affected versions of these VMware products are at risk of complete system compromise.
💻 Affected Systems
- VMware Workspace ONE Access
- VMware Identity Manager
- VMware vRealize Automation
📦 What is this software?
Vrealize Suite Lifecycle Manager by Vmware
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with root access, enabling installation of persistent backdoors, data exfiltration, and lateral movement across the network.
Likely Case
Privilege escalation to root by an attacker with initial access, leading to credential harvesting, configuration changes, and further exploitation.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place to detect and contain local privilege escalation attempts.
🎯 Exploit Status
Exploitation requires local access; multiple public exploit scripts and technical details are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to VMware advisory VMSA-2022-0011 for specific patched versions
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2022-0011.html
Restart Required: Yes
Instructions:
1. Review VMware advisory VMSA-2022-0011. 2. Identify affected products and versions. 3. Apply the appropriate patches from VMware. 4. Restart affected services/systems as required.
🔧 Temporary Workarounds
Remove unnecessary local access
linuxRestrict local access to affected systems to only authorized administrators
Review and tighten local user accounts and SSH access
Review and secure support scripts
linuxAudit and modify permissions on support scripts to prevent unauthorized execution
chmod 750 /path/to/support/scripts
chown root:root /path/to/support/scripts
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems
- Enforce least privilege access controls and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if running affected VMware product versions listed in VMSA-2022-0011Check Version:
Check product-specific version commands (e.g., for vRealize Automation: vracli version)Verify Fix Applied:
Verify patch installation and check that support script permissions are properly restricted📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- Execution of support scripts by non-root users
- Changes to system permissions
Network Indicators:
- Unusual outbound connections from affected systems post-exploitation
SIEM Query:
source="vmware_logs" AND (event_type="privilege_escalation" OR process_name="support_script")🔗 References
- http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/171935/VMware-Workspace-ONE-Access-Privilege-Escalation.html
- https://www.vmware.com/security/advisories/VMSA-2022-0011.html
- http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/171935/VMware-Workspace-ONE-Access-Privilege-Escalation.html
- https://www.vmware.com/security/advisories/VMSA-2022-0011.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22960
