VMware has released fixes for ten vulnerabilities, including CVE-2022-31656, an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation, which the company considers critical and advises to patch or mitigate immediately.
While there is no indication that any of these flaws is currently being leveraged by attackers in the wild, the security researcher who reported CVE-2022-31656 is planning to release a technical writeup and a POC “soon”.
CVE-2022-31656 is an authentication bypass vulnerability affecting local domain users on VMware Workspace ONE Access, Identity Manager and vRealize Automation, that may allow an attacker with network access to the UI to obtain administrative access without the need to authenticate first.
“Given the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority,” says Claire Tills, senior research engineer at Tenable.
“As an authentication bypass, exploitation of this flaw opens up the possibility that attackers could create very troubling exploit chains.”
Petrus Viet, the researcher who discovered CVE-2022-31656, has also reported CVE-2022-31659, a SQL injection flaw that can be exploited to trigger a remote code execution. These two vulnerabilities could, for example, be concatenated in a very effective exploit chain.
Other vulnerabilities fixed in this batch of security updates include:
- Two other RCEs (CVE-2022-31658, CVE-2022-31665)
- Three local privilege escalation flaws (CVE-2022-31660, CVE-2022-31661, CVE-2022-31664)
- An URL injection vulnerability (CVE-2022-31657)
- A path traversal vulnerability (CVE-2022-31662)
- A cross-site scripting (XSS) vulnerability (CVE-2022-31663)
Affected solutions include:
- VMware Workspace ONE Access (Access)
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
UPDATE (August 10, 2022, 03:30 a.m. ET):
Petrus Viet has published a detailed technical analysis of CVE-2022-31656 and CVE-2022-31659, and a proof-of-concept exploit for CVE-2022-31656.