SRC-2022-0020 : VMware vRealize Operations Manager generateSupportBundle VCOPS_BASE Privilege Escalation Vulnerability

CVE ID: CVE-2022-31672

CVSS Score: 7.2, (/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: VMWare

Affected Products: vRealize Operations

Vulnerability Details: This vulnerability allows local attackers to escalate privileges on affected installations of VMware vRealize Operations Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within generateSupportBundle.py script. The issue results from allowing attackers to specify the VCOPS_BASE environment variable which is later used to construct a path. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.

Vendor Response:

VMWare has issued an update to correct this vulnerability. More details can be found at: https://www.vmware.com/security/advisories/VMSA-2022-0022.html

Disclosure Timeline:

  • 2022-05-26 – Sent to VMWare PSIRT

  • 2022-08-09 – Coordinated public release of advisory

Proof of Concept: https://github.com/sourceincite/DashOverride

Credit: This vulnerability was discovered by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute