Why Only EASM can provide the protection necessary to guard against RCE threat

Why Only EASM can provide the protection necessary to guard against RCE threat


Share on linkedin
Share on facebook
Share on twitter

On April 6, 2022, VMware published VMSA-2022-0011 describing multiple vulnerabilities privately reported to VMware, and issued fixes to patch them. Among these vulnerabilities is CVE-2022-22954, the most critical rated a 9.8 on CVSSv3. CVE-2022-22954 is a remote code execution (RCE) vulnerability due to server-side template injection in VMware Workspace ONE Access and VMware Identity Manager products. The exploit to this vulnerability is very easy to carry out and does not require much technical knowledge. Only a single HTTP request is required to identify a vulnerable device. Successful exploitation allows an unauthenticated attacker with network access to the web interface to execute an arbitrary shell command as the VMware user.

Protection in practice: guarding against CVE-2022-22960

A successful exploit will lead to command execution within the power of the horizon user directly from the WEB. It is possible to get root access from horizon users (complete server takeover) combining CVE-2022-22960. At present, a large number of VMware vulnerable unpatched products remain vulnerable to remote code execution, putting organizations and individuals at risk.

The following HTTP request performs the command “cat /etc/passwd” with permissions of horizon user:


Similarly, one can perform directory listing in horizon home folder by ls command by using “ls /”:

And as can be shown in the response, all directories in the horizon home folder are listed. This method of execution means an attacker can download malicious files, connect to C&C servers, and more.

There are many things one can do though CVE-2022-22954 — even opening a stream and generating a shell. This is just one example among the many preconfigured exploits accessible to both researchers and malicious parties alike.

 Steps for remediation

  1. Update software immediately as a part of routine software check-in and updates.
  2. If you must publish this service to the internet, use WAF best practices.
  3. Create a firewall access list (ACL) and enable access only to trusted IP addresses.

Concerned about RCE threat? Reposify has you covered.

Enterprise asset tracking is becoming increasingly more difficult to track, as large corporations have countless interfaces with subsidiaries, suppliers, and joint ventures. Security teams find themselves understaffed with more tasks to perform. True EASM solution will find the immediate threat in real-time and provide simple instructions on how to prevent them. Reposify will find every asset that belongs to your organization and mimic professional security analysts.

Reposify values your time! We are committed to reducing the number of false-positives and to provide security teams with verified issues, and a clear view. Reposify has a large number of integrations with support and case management, SIEM, SOAR, and cloud connectors to make team coordination easy.

Shlomi has been an information technology professional for over fifteen years with extensive experience with roles spanning across Software Development Life Cycle (SDLC), IT infrastructure, cryptography, security architecture, operations security, business continuity and Disaster Recovery Planning (DRP), legal, regulations, investigations and compliance, design DevOps (CI-CD process) to cloud platforms. Shlomi has worked on large complex InfoSec projects worldwide. He brings the expertise of defensive & offensive methodologies in cybersecurity. Shlomi is focused on excellence in all aspects of business and life and contributes his knowledge in technical documentation including Cloud Security Alliance (CSA).


Share on linkedin
Share on facebook
Share on twitter

Ready to discover your External Attack Surface?

Read Next

Detect to protect: Reposify’s EASM flags exposed assets vulnerable to Microsoft SMB (CVE-2022-26809)

Microsoft covered more than 100 vulnerabilities in April's security update, among them patches to critical remote code execution (RCE) vulnerabilities located in Microsoft’s SMB. In response Reposify's EASM platform scanned and identified 800,000+ nodes with open SMB protocol on both patched and unpatched systems. Read our latest blog and learn how Reposify's EASM can detect unknown exposed assets vulnerable to Microsoft’s SMB.

Security teams: here’s why you should choose EASM over Shodan?

If you are using Shodan to search for your company’s assets or perform reconnaissance as part of blue or red teams routines - you need to keep reading.

Spring4Shell is on the rise. EASM is a necessity.

Reposify’s EASM platform provides deep, real-time understanding of known and unknown assets exposed and vulnerable to Spring4Shell, instantly mitigating critical risk for any organization
Yaron Tal