ISN 2022-11: VMware Horizon Privilege Escalation

Updated 2nd June 2022 (IGEL OS 11.07.140 available)

First published 26th April 2022

CVSS 3.1 Base Score: 7.3 (High)

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Summary

Two vulnerabilities have been found in VMware Horizon Client for Linux. This affects the following IGEL products:

• IGEL OS 11

• IGEL OS 10

Details

The first issue (CVE-2022-22962) allows a local non-privileged user to change the default shared folder location due to a vulnerable symbolic link. This can result in linking to a file owned by root.
The second issue (CVE-2022-22964) lets a local non-privileged user escalate their privileges to root due to a vulnerable configuration file.

Update Instructions

• IGEL OS 11: Update to IGEL OS version 11.07.140 or newer.

• IGEL OS 10: Upgrade to IGEL OS version 11.07.140 or newer.

Mitigation

This issue can be mitigated by not giving users access to a terminal/virtual console on IGEL OS, which they could use to configure and run the exploit code:

Remove an existing local terminal session:

1. In IGEL Setup, go to Accessories > Terminals.

2. Select a local terminal session you want to delete.

3. Click the trash icon to remove the selected session.

4. When prompted, confirm that you want to delete the session.

5. Click Apply.

Or password-protect the local terminal with the Administrator password:

1. Find the local terminal session under Accessories > Terminals.

2. Follow the instructions under IGEL OS PUBLIC > Versions of IGEL OS > (11.09-en) IGEL OS > (11.09-en) IGEL OS Articles > (11.09-en) Security > (11.09-en) Security IGEL OS Endpoints > (11.09-en) Setting Passwords > (11.09-en) Password-Protecting Sessions and Accessories.

Disable virtual console access:

1. In IGEL Setup, go to User Interface > Display > Access Control.

2. Activate Disable console switching (Default: Console switching enabled)

3. Click Apply.

References

VMSA-2022-0012: https://www.vmware.com/security/advisories/VMSA-2022-0012.html