CVE-2022-22964
📋 TL;DR
CVE-2022-22964 is a local privilege escalation vulnerability in VMware Horizon Agent for Linux that allows authenticated local users to gain root privileges due to an insecure configuration file. This affects organizations using VMware Horizon virtual desktop infrastructure with Linux-based endpoints. Attackers with initial access to a Linux Horizon client can exploit this to achieve full system control.
💻 Affected Systems
- VMware Horizon Agent for Linux
📦 What is this software?
Horizon by Vmware
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local user access can gain full root privileges on the Linux system, potentially compromising the entire virtual desktop infrastructure, accessing sensitive data, and moving laterally to other systems.
Likely Case
Malicious insiders or attackers who have gained initial foothold on a Linux Horizon client can escalate to root, install persistence mechanisms, and access other user sessions within the Horizon environment.
If Mitigated
With proper patch management and least privilege principles, impact is limited to isolated client systems without lateral movement capabilities.
🎯 Exploit Status
Exploitation requires local user access on the Linux system. The vulnerability is in configuration file permissions that allow local users to modify files that run with root privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: VMware Horizon Agent for Linux 22.x or later
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2022-0012.html
Restart Required: Yes
Instructions:
1. Download VMware Horizon Agent for Linux version 22.x or later from VMware portal. 2. Stop Horizon services. 3. Install the updated agent package. 4. Restart the system. 5. Verify the installation.
🔧 Temporary Workarounds
Secure configuration file permissions
linuxManually adjust permissions on vulnerable configuration files to prevent unauthorized modification
chmod 644 /path/to/vulnerable/config/file
chown root:root /path/to/vulnerable/config/file
Remove unnecessary local users
linuxReduce attack surface by removing non-essential local user accounts
userdel username
groupdel groupname
🧯 If You Can't Patch
- Implement strict access controls to limit who can log into Linux Horizon clients
- Monitor for privilege escalation attempts and file permission changes on Horizon Linux systems
🔍 How to Verify
Check if Vulnerable:
Check VMware Horizon Agent version: 'vmware-horizon-agent --version' or check installed package version. If version is below 22.x, system is vulnerable.Check Version:
vmware-horizon-agent --versionVerify Fix Applied:
Verify installed version is 22.x or later: 'vmware-horizon-agent --version' should show 22.x+. Check configuration file permissions: 'ls -la /etc/vmware/viewagent-custom.conf' should show root ownership and 644 permissions.📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events in system logs
- Modifications to VMware Horizon configuration files by non-root users
- Failed sudo/su attempts followed by successful privilege gain
Network Indicators:
- Unusual outbound connections from Horizon Linux clients
- Lateral movement attempts from Horizon clients to other systems
SIEM Query:
source="linux_system_logs" AND (event="privilege_escalation" OR event="file_modification" AND file_path="/etc/vmware/*")