Patch Alert: Exploit Code Publicly Released for VMware FlawsRecently Disclosed Vulnerabilities Allow for Remote Takeover of Multiple Products
Virtualization giant VMware is warning users to immediately patch a range of its access and identity management products now that researchers have published proof-of-concept code for exploiting an authentication bypass allowing attackers to gain admin privilege.
See Also: The Essential Guide to Zero Trust
The company says it has yet to see in-the-wild attacks using the exploit. VMware on Aug. 2 warned that 10 newly detailed flaws are present in its Workspace ONE Access, VMware Identity Manager - aka vIDM, vRealize Lifecycle Manager, vRealize Automation and VMware Cloud Foundation products. The company warns that not all products are issued in just stand-alone versions; some can be optional add-ons to other products.
One of the most critical flaws, affecting multiple products, is the authentication bypass vulnerability designated CVE-2022-31656, which an attacker could use to gain administrative access to the systems without having to authenticate.
"This critical vulnerability should be patched or mitigated immediately," VMware warns in a FAQ.
Code for exploiting two of the flaws has been publicly released by the security researcher "Petrus Viet," who initially reported the flaws to VMware.
VMware warns the flaws can be exploited not just to facilitate authentication bypass but also remote code execution, allowing an attacker to remotely execute dangerous commands, and privilege escalation vulnerabilities, which would allow an attacker to gain root access.
This is a detailed technical analysis of two vulnerabilities CVE-2022-31656 and CVE-2022-31659 affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation. I hope it helps you and sorry for my bad english.
[ENG] https://t.co/lOXEUvEyPV— Petrus Viet (@VietPetrus) August 9, 2022
Follows VMSA-2022-0014 Alert From May
The 10 newly discovered flaws appear to have resulted from Petrus Viet probing the flaws that were publicly disclosed earlier this summer. A May alert, VMSA-2022-0014, details separate flaws in the same set of products. Some of those vulnerabilities can be remotely exploited to seize control of the systems.
"When a security researcher finds a vulnerability, it often draws the attention of other security researchers who bring different perspectives and experience to the research," VMware says.
In May, VMware detailed workarounds that would protect users against the flaws that it detailed in VMSA-2022-0014.
It says those workarounds protect against the newly reported, critical vulnerability, CVE-2022-31656, "but not the additional, less-severe vulnerabilities that are disclosed in VMSA-2022-0021."
Accordingly, "we urge patching of the Workspace ONE Access/Identity Manager components instead of relying on workarounds," VMware says.
When VMware released its May security alert and patches, the vulnerabilities it detailed were already being actively exploited by attackers in the wild.
At the time, the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring all federal agencies to patch the flaws, which are designated as CVE-2022-22954 and CVE-2022-22960.
CISA warned in May that the vulnerabilities were already being actively exploited by multiple groups, including nation-state hacking groups. It said attackers appeared to have found the flaws by reverse-engineering an April 6 security update from VMware.