VMware has released fixes for ten vulnerabilities, including CVE-2022-31656, an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation, which the company considers critical and advises to patch or mitigate immediately.
While there is no indication that any of these flaws is currently being leveraged by attackers in the wild, the security researcher who reported CVE-2022-31656 is planning to release a technical writeup and a POC “soon”.
CVE-2022-31656 is an authentication bypass vulnerability affecting local domain users on VMware Workspace ONE Access, Identity Manager and vRealize Automation, that may allow an attacker with network access to the UI to obtain administrative access without the need to authenticate first.
“Given the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority,” says Claire Tills, senior research engineer at Tenable.
“As an authentication bypass, exploitation of this flaw opens up the possibility that attackers could create very troubling exploit chains.”
She also noted that “early reports indicate that CVE-2022-31656 is actually a variant or patch bypass of CVE-2022-22972 which was patched in [May 2022].”
Petrus Viet, the researcher who discovered CVE-2022-31656, has also reported CVE-2022-31659, a SQL injection flaw that can be exploited to trigger a remote code execution. These two vulnerabilities could, for example, be concatenated in a very effective exploit chain.
Other vulnerabilities fixed in this batch of security updates include:
- Two other RCEs (CVE-2022-31658, CVE-2022-31665)
- Three local privilege escalation flaws (CVE-2022-31660, CVE-2022-31661, CVE-2022-31664)
- An URL injection vulnerability (CVE-2022-31657)
- A path traversal vulnerability (CVE-2022-31662)
- A cross-site scripting (XSS) vulnerability (CVE-2022-31663)
Affected solutions include:
- VMware Workspace ONE Access (Access)
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
Along with the security advisory, VMware has also published a FAQ document that enterprise admins should consult to make sure they apply patches or workarounds correctly.
UPDATE (August 10, 2022, 03:30 a.m. ET):
Petrus Viet has published a detailed technical analysis of CVE-2022-31656 and CVE-2022-31659, and a proof-of-concept exploit for CVE-2022-31656.