Earlier this week, VMWare published a critical security advisory that addresses security vulnerabilities in multiple product lines, including a critical authentication bypass flaw that scored CVSSv3 9.8.
Administrators are advised to update affected VMWare products as soon as possible.
What’s the nature of the vulnerabilities?
VMWare released an advisory on August 2nd regarding updates across multiple platforms. This includes a critical authentication bypass vulnerability, as well as multiple severe privilege escalation and remote code execution (RCE) vulnerabilities. Though the RCEs require administrative access, they can presumably be chained with the authentication bypass or privilege escalation vulnerabilities as needed to bypass the authentication requirement.
Urgent action is recommended on the below vulnerabilities. Consult the VMWare Advisory (VMSA-2022-0021) for more details.
Which products are affected?
- VMware Workspace ONE Access (Access)
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware vRealize Automation (vRA)
Vulnerability details
Here’s a summary of Critical/High vulnerabilities from VMSA-2022-0021 that rank greater that CVSSv3 7.0.
VMware Cloud Foundation vRealize Suite Lifecycle ManagerAuthentication Bypass Vulnerability
CVE-2022-31656
CVSS 9.8 – Critical
- Impacts VMware Workspace ONE Access, Identity Manager and vRealize Automation platforms
- Malicious user with Network access and UI access may be able to bypass authentication and obtain administrative credentials.
- Workaround provided by VMWare.
JDBC Injection Remote Code Execution Vulnerability
CVE-2022-31658
CVSS 8.0 – Important
- Impacts VMware Workspace ONE Access, Identity Manager and vRealize Automation platforms
- Malicious user with network and administrative access can trigger remote code execution (RCE) on the impacted platform
- No workaround listed
SQL injection Remote Code Execution Vulnerability
CVE-2022-31659
CVSS 8.0 – Important
- Impacts VMware Workspace ONE Access and Identity Manager platforms
- An RCE can be triggered by a user with network and administrative access
- No workaround listed
Local Privilege Escalation Vulnerability
CVE-2022-31660
CVE-2022-31661
CVE-2022-31664
CVSS 7.8 – Important
- All three listed Privilege Escalation vulnerabilities impact VMware Workspace ONE Access, Identity Manager and vRealize Automation platforms
- Malicious user with local access can escalate to root privileges
- No workarounds listed
JDBC Injection Remote Code Execution Vulnerability
CVE-2022-31665
CVSS 7.6 – Important
- Impacts VMware Workspace ONE Access, Identity Manager and vRealize Automation platforms
- An RCE can be triggered by a user with network and administrative access
- No workarounds listed
Mitigation
- Consult VMWare Advisory and Q&A Document for more details, as well as information about updates and workarounds.
- A vulnerability management program can be used to detect and prioritize serious vulnerabilities within your environment.
- Apply network segmentation best practices to reduce the attack surface of vulnerabilities requiring network access.
Resources
VMWare Advisory (VMSA-2022-0021)
https://www.vmware.com/security/advisories/VMSA-2022-0021.html
VMWare Advisory (VMSA-2022-0021): Q+A
https://core.vmware.com/vmsa-2022-0021-questions-answers-faq
BleepingComputer Article
https://www.bleepingcomputer.com/news/security/vmware-urges-admins-to-patch-critical-auth-bypass-bug-immediately/
