<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Workspace ONE Access - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/workspace-one-access/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 18:23:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/workspace-one-access/feed.xml" rel="self" type="application/rss+xml"/><item><title>VMware Server-Side Template Injection Attempt (CVE-2022-22954)</title><link>https://feed.craftedsignal.io/briefs/2024-01-vmware-ssti/</link><pubDate>Wed, 03 Jan 2024 18:23:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-vmware-ssti/</guid><description>An attacker attempts to exploit CVE-2022-22954, a server-side template injection vulnerability in VMware Workspace ONE Access and Identity Manager, by sending a crafted HTTP GET request containing malicious parameters to achieve remote code execution.</description><content:encoded><![CDATA[<p>This threat brief addresses potential exploitation attempts targeting CVE-2022-22954, a server-side template injection vulnerability affecting VMware Workspace ONE Access (Access) and Identity Manager (vIDM). This vulnerability allows a remote attacker to execute arbitrary code on the server. The attack is initiated through malicious HTTP GET requests containing specific parameters designed to exploit the template injection flaw. This activity is significant because successful exploitation can lead to complete system compromise, unauthorized access, and the execution of arbitrary commands, making it critical for defenders to identify and mitigate these attempts. The vulnerability was disclosed in early 2022, and proof-of-concept exploits are publicly available, increasing the risk of widespread exploitation attempts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a vulnerable VMware Access or vIDM instance.</li>
<li>The attacker crafts a malicious HTTP GET request targeting a specific endpoint (potentially involving <code>deviceudid</code>).</li>
<li>The malicious GET request includes payload strings such as <code>freemarker.template.utility.ObjectConstructor</code> or <code>java.lang.ProcessBuilder</code> within the URL to trigger template injection.</li>
<li>The vulnerable application processes the crafted request without proper sanitization, interpreting the payload as a template instruction.</li>
<li>The template engine executes the injected code, allowing the attacker to execute arbitrary commands on the server.</li>
<li>The attacker leverages the initial code execution to establish persistence, potentially by writing a backdoor to disk.</li>
<li>The attacker escalates privileges to gain root or SYSTEM access.</li>
<li>The attacker moves laterally within the network, compromising other systems and exfiltrating sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2022-22954 can lead to complete compromise of the affected VMware Access or vIDM server. This includes unauthorized access to sensitive data, the ability to execute arbitrary commands, and the potential for lateral movement within the network. Organizations using vulnerable versions of VMware products are at risk of data breaches, service disruption, and reputational damage. Public exploits have been developed, increasing the likelihood of widespread attacks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect VMware CVE-2022-22954 Exploitation Attempts</code> to your SIEM to identify malicious HTTP GET requests (logsource: webserver, product: linux).</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on systems accessing the affected VMware instances.</li>
<li>Apply the official VMware patch for CVE-2022-22954 immediately to remediate the vulnerability (reference: <a href="https://www.vmware.com/security/advisories/VMSA-2022-0011.html)">https://www.vmware.com/security/advisories/VMSA-2022-0011.html)</a>.</li>
<li>Monitor web server logs for unusual URL patterns containing <code>deviceudid</code> in combination with Java-related keywords, even if the Sigma rule does not trigger (logsource: webserver, product: linux).</li>
<li>Implement network segmentation to limit the impact of a successful compromise.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>vmware</category><category>ssti</category><category>cve-2022-22954</category><category>template-injection</category></item></channel></rss>