Home / About / Threat Intelligence / Hekate - exploit code released for VMware Workspace ONE

Overview

Cyber security researchers at Source Incite have released a proof of concept (POC) exploit code for a pre-authenticated remote root exploitation chain called ‘Hekate’. The exploit takes advantage of the default configuration of the VMware Workspace ONE techniques which include:

● Remote code execution (RCE) utilising MySQL JDBC Driver autoDeserialize and PostgreSQL JDBC Driver socketFactory

● RCE by leveraging PostgreSQL JDBC driver and re-using the com.vmware.licensecheck.* classes to avoid any outbound network connections to the attacker.

According to the author, the exploit abuses the following vulnerabilities for zero-click and one-click RCE:

● CVE-2022-22956: An authentication bypass vulnerability within the OAuth2TokenResourceController ACS framework utilised by VMware Workspace ONE. Successful exploitation of this vulnerability would allow for a threat actor to bypass authentication mechanisms and execute any operation on endpoints exposed within this authentication framework.

CVE-2022-22957: VMware Workspace ONE contains an authenticated RCE vulnerability within DBConnectionCheckController dbCheck JDBC. A malicious actor with administrative privileges could trigger the deserialisation of untrusted data through a specifically crafted JDBC URI, which could result in RCE.

CVE-2022-22959: VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery (CSRF) vulnerability within the DBConnectionCheckController dbCheck component. To exploit this CSRF a malicious actor would need to coerce a user into unintentionally validating a malicious JDBC URI.

CVE-2022-22960: VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions being set on the support scripts publishCaCert and gatherConfig. Successful exploitation of this vulnerability would allow a malicious actor, with local access to a system, the ability to escalate their privileges to root.

CVE-2022-22961: VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability within the BrandingResource getBranding Information Disclosure component, as they return excessive information when queried. Successfully exploiting this vulnerability would allow a malicious actor to leak the hostname of a target system.

Impact

The attack chain utilised within the Hekate POC exploitation script targets VMware Workspace ONE solutions which are listening on port 443. This may also be exposed to the internet by system administrators for administrative purposes. Utilising the Hekate exploit chain removes the necessity for authentication to achieve root level access to affected systems, where utilisation of such a tool would result in the complete compromise of an affected appliance.

Vulnerability Detection

VMware appliances with the following versions:

● VMware Workspace ONE Access (Access) versions 20.10.x and 21.08.x

● VMware Identity Manager version 3.3.x

● VMware vRealize Automation versions 7.6 and 8.x

● VMware Cloud Foundation versions 3.x and 4.x

● vRealize Suite Lifecycle Manager version 8.x

Affected Products

● VMware Workspace ONE Access (Access) versions 20.10.x and 21.08.x

● VMware Identity Manager version 3.3.x

● VMware vRealize Automation versions 7.6 and 8.x

● VMware Cloud Foundation versions 3.x and 4.x

● vRealize Suite Lifecycle Manager version 8.x

Containment, Mitigations & Remediations

Application of the VMware patch KB88099. Where patching is not possible, VMware have released the following workaround

Indicators of Compromise

None provided.

Threat Landscape

VMware is the biggest of the virtualisation platforms utilised by organisations to support the on-premise server infrastructure. Any organisations that are running such an infrastructure are potentially vulnerable, more so if the infrastructure is exposed to the wider internet, for example where supporting multiple websites, exchange servers, or other multi-server DMZ environments.

VMware has confirmed that active exploitation of CVE-2022-22954 & CVE-2022-22960 have been seen in the wild. It is expected that as a result of the release of the Hekate exploitation POC script, further exploitation of all CVEs listed in this post will rise.

Mitre Methodologies

T1068 – Exploitation for Privilege Escalation

T1190 – Exploit Public-Facing Application

Further Information

VMware security advisory

VMware patch release notes

VMware workaround guidance

Source Incite security research blog post

Source Incite Twitter post

GitHub repository containing POC exploitation code