This post is also available in: 日本語 (Japanese)
On April 6, 2022, VMware published a security advisory mentioning eight vulnerabilities, including CVE-2022-22954 and CVE-2022-22960 impacting their products VMware Workspace ONE Access, Identity Manager and vRealize Automation. On April 13, they updated their advisory with information that CVE-2022-22954 is being exploited in the wild.
Multiple writeups detailing exploitation scenarios for the aforementioned two vulnerabilities were published in the last week of April, finally followed by a CISA Alert on May 18. The CISA Alert also calls out CVE-2022-22972 and CVE-2022-22973 – published on the same day and affecting the same products – as being highly likely to be exploited.
Unit 42 has observed numerous instances of CVE-2022-22954 being exploited in the wild. In this blog post, we share context around this observed activity, along with how the Palo Alto Networks product suite can be leveraged to protect against it.
|Vulnerabilities Discussed||CVE-2022-22954, CVE-2022-22960, CVE-2022-22972, CVE-2022-22973|
Table of Contents
Timeline for VMware Vulnerabilities
CVE-2022-22954 in the Wild
Mirai/Gafgyt Dropper Scripts or Variants
SSH Key Targeting
CVE-2022-22960 in the Wild
Indicators of Compromise
Publication of VMware advisory VMSA-2022-0011 regarding CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961.
VMware advisory updated with knowledge of active exploitation of CVE-2022-22954 in the wild.
As of this writing, no proofs of concept for exploitation of CVE-22972 or CVE-2022-22973 are known. This post will be updated with new findings as they are discovered.
CVE-2022-22954, a remote code execution (RCE) vulnerability due to server-side template injection in VMware Workspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable device.
The list below details the exploits Unit 42 observed targeting this vulnerability that we deemed worth highlighting.
The injected commands worth mentioning that intended to further download payloads to a vulnerable machine can be categorized into the following broad categories:
- Mirai/Gafgyt dropper scripts or variants
- Perl Shellbot
We observed several instances of CVE-2022-22954 being exploited to drop variants of the Mirai malware. In most cases, the exploit was only used to drop the payload, however the payloads themself did not contain CVE-2022-22954 exploits for further propagation. Instead, they were either non-specific Mirai variants or contained previously known exploits such as CVE-2017-17215.
The exception to this is Enemybot, a currently prevalent botnet built with bits of code from both Gafgyt and Mirai source code. The exploits involving Enemybot eventually download Enemybot samples that themselves embed CVE-2022-22954 exploits for further exploitation and propagation.
We observed the vulnerability exploited to download webshells, including:
- A basic implementation that read a GET parameter value, Base64 decoded it, and used a ClassLoader to load the result.
- The Godzilla Webshell that has also been used in previous campaigns exploiting other vulnerabilities.
Certain injected commands result in the download of obfuscated Perl scripts. Deobfuscating these scripts reveals they are versions of the known bot family “Stealth Shellbot” that reaches out to an IRC server to listen for commands to perform. It has the ability to further make HTTP requests based on commands received. This would mean infected machines could then be directed to further perform scanning and exploitation activity, in addition to directly executing shell commands received from the command and control (C2) server on the target machine.
A complete list of indicators of compromise (IoCs) can be found at the end of this post.
This last command downloads a shell script that ultimately downloads and executes an XMRig coinminer.
We also observed some instances of injected payloads that were either trying to read authorized keys on vulnerable machines or were writing into the authorized_keys file to add to the machine’s list of accepted keys. Following is an example of such an attempt.
CVE-2022-22960 is a privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation instances, due to improper permissions in support scripts. The vulnerability can be leveraged to run commands as a root user on a vulnerable instance.
More specifically, this flaw exists since the default user for these VMware products, horizon, has access to several sudo commands, some of which involve paths that can be overwritten as well.
Attackers can, therefore, leverage CVE-2022-22954 to remotely execute commands to overwrite specific paths. If successful, CVE-2022-22960 can then be leveraged to execute these overwritten paths with root permissions using the sudo command.
Our research so far has shown one publicly known sample demonstrating exploitation of CVE-2022-22960 by overwriting the /usr/local/horizon/scripts/publishCaCert.hzn file.
The content of this exploit file can be observed below.
Another proof of concept code sample is additionally available targeting the following 2 filepaths:
Palo Alto Networks is still actively investigating a number of the aforementioned vulnerabilities, many of which do not have publicly available exploit code. Presently, customers may leverage the following to block or detect the threats communicated throughout this publication:
Palo Alto Networks Next Generation Firewall Threat Prevention blocks CVE-2022-22954 exploits with Signature 92483.
Cortex Xpanse was able to identify ~800 instances of VMware Workspace ONE Access connected to the public internet, and can be leveraged to enumerate potentially vulnerable instances within customer networks.
Additionally, all encountered URLs have been flagged as malware within PAN-DB, the Advanced URL Filtering URL database.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
- North America Toll-Free: 866.486.4842 (866.4.UNIT42)
- EMEA: +31.20.299.3130
- APAC: +65.6983.8730
- Japan: +81.50.1790.0200
As further information or detections are put into place, Palo Alto Networks will update this publication accordingly.
Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Mirai/Gafgyt dropper scripts or variants
Webshell downloads (full injected command)
Direct Download exploits where payloads were no longer live at the time of analysis:
C2 server : 5[.]39.217.212:80
Channel : #vcenter getsome
C2 server : 64[.]32.6.143:80
Channel : #redis getsome
C2 server : 5[.]39.217.212:80
Channel : #D getsome
Updated May 23, 2022, at 1 p.m. PT.