External risk intelligence

VMware Access and Automation Privilege Escalation

CVE advisoryKnown Exploit

CVE-2022-22960

VMware products are affected by a privilege escalation vulnerability due to improper permissions in support scripts. This impacts organizations by allowing an attacker with local access to gain root privileges, potentially leading to unauthorized access to sensitive data and business disruption. This internal threat re

1Halo Surface Signal

Privilege Escalation

Vmware Cloud Foundation

3.0 to before 5.03.3.33.3.43.3.53.3.67.68.0 to before 9.020.10.0.020.10.0.121.08.0.021.08.0.1

External exposure likelihood

Halo Surface Signal score for CVE-2022-22960

The vulnerability is a privilege escalation issue occurring within local support scripts. It requires prior local access to the system to exploit, meaning it is not a network-reachable or internet-facing service.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a vulnerability related to improper permissions in support scripts. This flaw can allow a malicious actor with local access to escalate their privileges to the highest level on the affected system. Such an escalation could lead to significant business risk if sensitive data or critical system functions are compromised.

  • Vulnerable VMware products.
  • Local privilege escalation flaw.
  • Potential for unauthorized access.

Attack Path

How an attacker could exploit the issue

This vulnerability affects VMware products, allowing for privilege escalation. An attacker with existing local access to a system can exploit improper permissions in support scripts. This enables the attacker to gain root-level privileges, significantly increasing their control over the affected system and potentially impacting business operations and data security.

  • Local access to the system is required.
  • Attacker uses improper script permissions.
  • Attacker escalates privileges to root.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability exists in VMware products that allows a malicious actor with local access to escalate their privileges to administrative control. This could enable an attacker to gain significant control over affected systems. The vulnerability is categorized as high severity and is considered an internal threat, requiring an attacker to already have a foothold within the organization's network.

  • Likely attacker skill: Moderate.
  • Required access: Local system access.
  • Business risk: High.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts VMware products, including Workspace ONE Access, Identity Manager, and vRealize Automation. An attacker with local access could escalate privileges to gain root access, posing a significant risk to organizational data and systems. The issue stems from improper permissions within support scripts.

  • Identify affected VMware assets.
  • Isolate affected systems or reduce access.
  • Apply vendor updates and verify.
  • Monitor for related activity.

Frequently asked questions

What are VMware Workspace ONE Access and vRealize Automation and why are they relevant to security?

VMware Workspace ONE Access, Identity Manager, and vRealize Automation are software solutions that manage digital workspaces and cloud automation. Their relevance to security lies in a privilege escalation vulnerability within their support scripts, which could allow unauthorized users to gain root-level access to affected systems.

What is the specific weakness in CVE-2022-22960 and how is it classified?

The weakness in CVE-2022-22960 is improper permissions in support scripts. This vulnerability is classified as a privilege escalation flaw (CWE-732), meaning an attacker with local access can elevate their permissions to 'root'.

What are the conditions required for an attacker to exploit this privilege escalation vulnerability?

An attacker needs existing local access to the affected VMware system to exploit this vulnerability. They then leverage improper permissions within support scripts to escalate their privileges to the highest level.

How does the Halo Surface Signal assess the risk of CVE-2022-22960?

Halo Surface Signal assesses the risk of CVE-2022-22960 as 'Very unlikely' to be exploited remotely. This is because the vulnerability is a privilege escalation issue that occurs within local support scripts, requiring prior local access to the system.

What steps should be taken to address the CVE-2022-22960 vulnerability in VMware products?

To address this vulnerability, organizations should identify all affected VMware assets, including Workspace ONE Access, Identity Manager, and vRealize Automation. It is recommended to isolate affected systems if possible or restrict access, and then apply vendor-provided updates and patches. Post-remediation, continuous monitoring for suspicious activity is advised.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified