CVE-2022-22964 - How a Flawed Config Gave Root Access in VMware Horizon Agent for Linux

Discovered: 2022  
Impacts: VMware Horizon Agent for Linux, before version 22.x  
Severity: High  
Attack type: Local Privilege Escalation  
---

What is CVE-2022-22964?

CVE-2022-22964 is a serious local privilege escalation flaw found in VMware Horizon Agent for Linux. The bug allows an attacker with regular user access to get full root privileges by exploiting insecure configuration file permissions. Let's break down what this means, how it was exploited, and how to protect affected systems.

What's VMware Horizon Agent?

VMware Horizon is software that lets organizations provide remote desktops and apps to users. The Horizon Agent runs on the virtual desktops themselves; it talks to the Horizon infrastructure and enables things like input redirection, screen updates, and more.

How the Vulnerability Happened

In vulnerable versions (before Horizon Agent 22.x), a configuration file had permissions that were way too loose. That is, the file allowed unprivileged users to write to it when they shouldn't have been able to.

The Horizon Agent service runs as root. At startup, it reads its configuration file. If an attacker can edit that file, they can inject malicious data or even point the agent to load arbitrary libraries or execute arbitrary commands as root.

Suppose there's a config file like

/etc/vmware/horizon/agent.conf

And the permissions look like this

$ ls -l /etc/vmware/horizon/agent.conf
-rw-rw-rw- 1 root root 1234 Jan 12 10:00 /etc/vmware/horizon/agent.conf

Notice the rw-rw-rw- (read and *write* by anyone)! This is a recipe for disaster. Any process, including any user on the system, can overwrite this config file.

How Attackers Exploit This

To exploit, an attacker just needs an unprivileged account on the same Linux system.

Overwrite the Config File:

Insert a setting (for example, a debug log location) pointing to a file that will later be executed by root, like /etc/cron.d/malicious or configure it to run a command.

Restart the Service:

Wait for the service to restart (or convince an admin to restart it). When Horizon Agent starts, it processes the attacker's changes, performing an action that leads to code execution as root.

Suppose the config allows setting a log file

echo 'log_file=/etc/cron.d/malicious' > /etc/vmware/horizon/agent.conf
echo '* * * * * root echo "ALL ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /etc/cron.d/malicious

Now wait: once the service restarts and writes the log as root, the cron job is created, granting passwordless sudo to *all* users.

> Important: The exact methods may vary with the options the service parses, but the core idea is the same: a writable config file leads to root-level actions controlled by an attacker.

Fixing the Flaw

VMware patched this in version 22.x of the Horizon Agent for Linux. The main fix was tightening the permissions on critical configuration files.

Upgrade:

Patch to the latest Horizon Agent for Linux.

`bash

sudo chmod 600 /etc/vmware/horizon/agent.conf
 sudo chown root:root /etc/vmware/horizon/agent.conf
 <br>- <b>Review for Further Issues:</b>  <br>   Confirm no other world-writable config files exist under /etc/vmware/horizon/`.

---

## Resources & References

- VMware Security Advisory VMSA-2022-0012
- NVD CVE-2022-22964 Entry
- Horizon Agent Release Notes

---

## Final Thoughts

CVE-2022-22964 is a classic example of how *file permission mistakes* can have massive consequences. Always check your critical configs and services don't allow users to write to sensitive files! If you're running any version of VMware Horizon Agent for Linux prior to 22.x, patch immediately.

Stay safe and secure your configs!

Timeline

Published on: 04/11/2022 20:15:00 UTC
Last modified on: 07/30/2022 02:37:00 UTC