CVE-2022-31672 Detection: Pre-Authenticated Remote Code Execution Exploit Using Patched Vulnerabilities in VMware vRealize Operations Management Suite

Security flaws in VMware products that can be leveraged in exploit chain attacks have been in the limelight in the cyber threat arena since May 2022, when CISA issued an alert warning of known remote code execution (RCE) and privilege escalation vulnerabilities. On August 9, 2022, VMware patched another set of vulnerabilities that might be chained into a pre-authenticated RCE exploit for VMware vRealize Operations Manager Suite (vROPS). VMware also issued the related advisory tracked as VMSA-2022-0022, covering the details of these security flaws. The vulnerabilities in the VMSA-2022-0022 advisory that can be used in the exploit chain include the MainPortalFilter UI authentication bypass (CVE-2022-31675), SupportLogAction information disclosure (CVE-2022-31674), and generateSupportBundle VCOPS_BASE privilege escalation (CVE-2022-31672). Each single security issue has a low-level severity impact, however, chained together it grants an unauthenticated attacker the ability to execute malicious code on the affected instances.

Detecting CVE-2022-31672: The Second Part of the Exploitation Chain

Uncovered vulnerabilities in popular products leveraged by thousands of global organizations can pose a severe threat when chained together. SOC Prime’s Detection as Code platform curates a Sigma rule to detect a privilege escalation vulnerability tracked as CVE-2022-31672, which is used in the second part of the RCE exploit chain covered in the VMSA-2022-0022 advisory by VMware. Cybersecurity practitioners can follow the link below to gain access to the dedicated detection algorithm crafted by the SOC Prime Team content developers:

Possible VMWare vRealize Privilege Escalation Patterns [CVE-2022-31672] (via cmdline)

This Sigma rule can be applied across 19 SIEM, EDR, and XDR technologies, including the industry-leading cloud-native and on-prem solutions. To gain enhanced threat visibility and boost cybersecurity effectiveness, the detection is aligned with the MITRE ATT&CK® framework addressing the Execution and Defense Evasion tactics with the corresponding Command and Scripting Interpreter (T1059) and Hijack Execution Flow (T1574) adversary techniques. Cybersecurity practitioners can also apply this Sigma rule to instantly hunt for related threats leveraging the exploit chain affecting the VMware products with the SOC Prime’s Quick Hunt module.

To detect current and emerging threats affecting popular VMware products, cybersecurity practitioners are welcome to take advantage of the entire list of dedicated Sigma rules available in SOC Prime’s platform. Click the Detect & Hunt button below to access this broad collection of relevant high-fidelity alerts and verified hunting queries and stay ahead of attackers. Looking for a deep-dive cyber threat context right at hand? Browse SOC Prime for VMware-related threats and instantly drill down to the comprehensive contextual information with MITRE ATT&CK links, CTI references, and a list of relevant Sigma rules.

Detect & Hunt Explore Threat Context

Exploit Chain Affecting VMware vRealize Operations Manager: Attack Analysis

On August 9, 2022, VMware issued an advisory VMSA-2022-0022 covering a set of vulnerabilities found in its in vRealize Operations Manager Suite (vROPS) affecting the product version 8.6.3. The revealed security flaws include the privilege escalation vulnerability tracked as CVE-2022-31672, the information disclosure vulnerabilities CVE-2022-31673 and CVE-2022-31674, and the authentication bypass vulnerability CVE-2022-31675. VMware has also released relevant patches to remediate the uncovered vulnerabilities in impacted VMware products. Organizations are also recommended to upgrade to the fixed VMware vROPS version 8.6.4 to mitigate the threat. 

Notably, each of the uncovered vulnerabilities can be considered fairly moderate in terms of severity and impact based on its CVSS score (ranging from 5.6 to 7.2) if exploited on its own, however, when chained together, their impact is much more destructive. The cybersecurity researcher Steven Seeley of Qihoo 360 Vulnerability Research Institute, who reported the issue to VMware, released the PoC exploit on GitHub called “DashOverride,” chaining three of the above-mentioned patched vulnerabilities (CVE-2022-31675, CVE-2022-31674, and CVE-2022-31672). According to the dedicated cybersecurity research on the Source Incite blog, these security flaws can lead to a pre-authenticated remote root exploit chain, which might expose thousands of organizations to severe risks. 

The exploit chain starts by leveraging the vulnerability CVE-2022-31675, which enables an attacker to apply a valid dashboard link id to bypass authentication. Threat actors can also gain from this security flaw by linking a third party to a malicious website, which can backdoor the application with a user with admin privileges. Another information disclosure vulnerability CVE-2022-31674 comes forth in the exploit chain when abusing the valid Pak manager responsible for writing sensitive passwords into log files. 

The second part of the exploit chain involves leveraging the privilege escalation vulnerability CVE-2022-31672, which enables low-privileged users to run the executable script as root. To ensure the exploitation works, threat actors need to configure the environment variable before calling a script for privilege escalation.

The increasing volumes of exploit chains impacting popular products applied by multiple organizations across the globe pose a pressing challenge to cyber defenders. SOC Prime’s Detection as Code platform enables cybersecurity practitioners to proactively detect exploitation attempts and timely mitigate the threats of any scale and sophistication, harnessing the power of collaborative cyber defense. Threat Hunters and Detection Engineers who are striving for self-advancement can also join Threat Bounty Program for crowdsourced content contribution to author high-quality detection algorithms, share them with the industry peers, and monetize their skills on a recurring basis.