CVE-2022-22954 Detection: Critical Vulnerability Sets Grounds for RCE Attacks

[post-views]
April 12, 2022 Ā· 3 min read
CVE-2022-22954

Last week, VMware released an advisory urging users to patch eight vulnerabilities of various severity levels. Unpatched bugs enable the compromise of the following VMware products: VMware Workspace ONE Access, Identity Manager (vIDM), vRealize Automation (vRA), Cloud Foundation, and Suite Lifecycle Manager. The easiest prey on the hit list with the CVSS score of 9.8 is a server-side template injection remote code execution vulnerability tracked as CVE-2022-22954.

Detect CVE-2022-22954

Adversaries may launch attacks by exploiting CVE-2022-22954 in order to perform VMware Workspace ONE Access Freemarker server-side template injection. Use the Sigma rule below developed by the talented members of the SOC Prime Team to timely track any relevant suspicious activity in your system:

Possible VMWare CVE-2022-22954 Exploitation Attempt (via webserver)

This detection is available for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Securonix, Apache Kafka ksqlDB, Carbon Black, Open Distro, and AWS OpenSearch.

The rule is aligned with the latest MITRE ATT&CKĀ® framework v.10, addressing the Initial Access tactic with Exploit Public-Facing Application (T1190) as the primary technique.

Follow the updates of detection content related to CVE-2022-22954 in the Threat Detection Marketplace repository of the SOC Prime Platform here.

Are you an experienced threat detection content developer? Tap into the power of the worldā€™s largest cyber defense community powered by the Threat Bounty Program, share your detection content, and earn recurring rewards for your valuable input.

View Detections Join Threat Bounty

CVE-2022-22954 Analysis

The critical remote code execution vulnerability, tracked as CVE-2022-22954, resides in the VMware Workspace ONE Access and Identity Manager. The bug is not unprecedented: in late September 2022, CVE-2021-22005 enabled adversaries to strike vulnerable systems with RCE attacks, achieving root privileges and reaching the vCenter Server over the network. The novel RCE flaw enables adversaries with network access to a server-side template injection that can lead to remote code execution. For more exploit details, see CVE-2022-22954 PoC.

VMware patches, released on April 6, 2022, address a number of security issues in VMware products of various levels of severity, including five critical ones. For successful CVE-2022-22954 mitigation, all users of the affected VMware products are strongly advised to apply the latest patches or look into available workarounds without any further delay.

Join SOC Primeā€™s Detection as Code platform to streamline your hunting capabilities and unlock access to the worldā€™s largest live pool of detection content created by the industry leaders. Enthusiastic about contributing to the worldwide cybercommunity by enriching the Detection as Code platform with your own detection content? Join our Threat Bounty Program for a safer future!

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts