Remote Code Execution in VMware

The cybersecurity researchers at Morphisec have discovered recently a critical RCE vulnerability in VMware Workspace ONE Access that is being actively exploited by advanced hackers, and this critical flaw has been tracked as “CVE-2022-22954.”

In conjunction with two other known RCEs, CVE-2022-22957 and CVE-2022-22958, the problem was addressed in a security update 20 days ago.

The above two RCEs also affect the following VMware products:-

  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

There were short ago several proofs of concept (POC) exploit codes that were publicly available shortly after the flaws were publicly disclosed. 

There has been an increasing trend over the last few years of hackers exploiting vulnerabilities in VMware’s products. There have been wild exploits of CVE-2022-22954 confirmed by VMware.

Attack Chain

By exploiting CVE-2022-22954, the attackers are able to access the network environment initially. Among the three RCEs, the first does not require administrative access to the target server and the latter has a public demonstration exploit as well.

The attack begins by launching a stager with a PowerShell command on the vulnerable service (Identity Manager). After that, a highly obfuscated PowerTrash loader is downloaded from the C2 server and a Core Impact agent is loaded into memory.

During the analysis, the experts at Morphisec have managed to retrieve the following things and elements:-

  • Stager server’s C2 address
  • The Core Impact client version
  • The 256-bit encryption key used for C2 communication

One of the companies listed in the database is allegedly an internet hosting company that supports illegal websites used as bait in spam and phishing campaigns.

Although it is still unclear whether Neculiti or any of the associated companies have been directly or indirectly involved in cyber-crime campaigns, knowingly or unknowingly.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.