# CVE-2022-22954
This package detects a subset of
[CVE-2022-22954](https://nvd.nist.gov/vuln/detail/CVE-2022-22954) attempts and
exploits, generates a notice, and also includes the exploit URI and the first
4KB of the data that was sent back to the attacker as a response. While
detecting this attack is more straightforward from [log
analysis](https://corelight.com/blog/finding-cve-2022-22954-with-zeek), this
package helps by logging the response sent back to the attacker to aid in
incidence response.
## Sample Notice
Two notices can be generated from this package:
* `VMWareRCE2022::ExploitAttempt`, and
* `VMWareRCE2022::ExploitSuccess`
The first is generated when an attack is attempted, but does not necessarily
succeed. The second is fired only when a successful exploit is detected and
should be investigated immediately. Below is an example of a successful exploit
notice.
```
1223906136.104000 C5uvDn3o7ejGdRxeVb - - - - - - - - VMWareRCE2022::ExploitSuccess 192.168.0.1 successfully exploited 173.37.145.84. See sub for uri/response. uri: /catalog-portal/ui/oauth/verify?error=&deviceUdid=${{freemarker.template.utility.Execute?new()(whoami)}}; response: www-data\x0a - - - - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
```
## Installing
This package can be installed with `zkg` using the following commands:
```
$ zkg refresh
$ zkg install cve-2022-22954
```
Corelight customers can install it by updating the CVE bundle.
[4.0K] /data/pocs/ffc4b48fe94b58424a99048f5ca470ece71a1b6f
├── [1.5K] LICENSE
├── [1.6K] README.md
├── [4.0K] scripts
│ ├── [ 13] __load__.zeek
│ └── [1.9K] main.zeek
├── [4.0K] testing
│ ├── [ 566] btest.cfg
│ ├── [4.0K] Files
│ │ └── [ 192] random.seed
│ ├── [ 28] Makefile
│ └── [4.0K] Scripts
│ ├── [ 383] diff-remove-timestamps
│ ├── [1.3K] get-zeek-env
│ └── [ 303] README
└── [ 384] zkg.meta
4 directories, 11 files