Advanced threat actors are currently exploiting a critical remote code execution (RCE) vulnerability due to a server-side template injection, tracked as CVE-2022-22954, in VMware Workspace ONE Access and Identity Manager. The vulnerability was addressed on April 6, 2022, and a patch was issued, however, by April 13, 2022, a proof of concept (PoC) exploit code was published – allowing attackers to target vulnerable systems. The vulnerability has been given a CVSSv3 score of 9.8.
VMware is cloud computing and virtualization platform used by 500,000 organizations and their Workspace ONE Access software provides multi-factor authentication and single-sign-on to SaaS, as well as mobile apps.
An Iranian cyber espionage group named Rocket Kitten has already begun to exploit CVE-2022-22954. According to VMware, attackers can bypass the authentication mechanism in VMware Workspace ONE Access and Identity Manager and execute any operation due to exposed endpoints in the authentication framework. Before reports regarding Rocket Kitten were published, the researchers at Morphisec Labs believed that the threat actors exploiting the vulnerability were APTs due to indicators of a sophisticated Core Impact backdoor. The tactics and techniques they discovered are common amongst APTs like Rocket Kitten.
According to Morphisec Labs, CVE-2022-22954 is a server-side template injection and it affects an Apache Tomcat component, which allows for malicious commands to be executed on the hosting server. Morphisec has also detected PowerShell commands executed as child processes to Tomcat “prunsr.exe” process application. If an attacker is successful and gains access, they can achieve full remote code execution against VMware’s identity access management.
With this new vulnerability, attackers can deploy ransomware or coin miners for initial access, lateral movement, or privilege escalation. Threat actors were also observed launching reverse HTTPS, such as Metasploit and Cobalt Strike. If the attacker has privileged access, they can bypass defenses, including antivirus and endpoint detection and response.
Because many threat actors are exploiting CVE-2022-22954 and they don’t need administrative access to do so, it’s important to implement VMware’s patch. The company has also issued workarounds for the vulnerability which you can find below. Patching is one of the best ways to prevent threat actors from compromising your organization. Don’t wait until your organization is breached to take action.
HW-154129 - Workaround instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 in Workspace ONE Access Appliance (VMware Identity Manager) (88098)