CVE-2022-31656: VMware Patches Several Vulnerabilities in Multiple Products (VMSA-2022-0021)
VMware has patched another set of serious vulnerabilities across multiple products including VMware Workspace ONE Access. Organizations should patch urgently given past activity targeting vulnerabilities in VMware products.
Background
On August 2, VMware issued an advisory (VMSA-2022-0021) for ten vulnerabilities across several of its products.
Affected products include:
This may seem familiar, as this is the third similar release from VMware so far in 2022. The pattern started with VMSA-2022-0011 in April and continued in May with VMSA-2022-0014. Both of these releases are mentioned in the FAQ blog post released alongside VMSA-2022-0021. Early reports indicate that CVE-2022-31656 is actually a variant or patch bypass of CVE-2022-22972 which was patched in VMSA-2022-0014.
As we said in May, given the history of attacks targeting VMware Workspace ONE instances, organizations should apply these patches immediately. This urgency is compounded by the fact that a proof-of-concept is forthcoming from the researcher who discovered the flaw.
Analysis
CVE-2022-31656 is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users and was assigned a CVSSv3 score of 9.8. A remote attacker must have network access to a vulnerable user interface and could use this flaw to bypass authentication and gain administrative access. This vulnerability was credited to security researcher Petrus Viet of VNG Security.
It is crucial to note that the authentication bypass achieved with CVE-2022-31656 would allow attackers to exploit the authenticated remote code execution flaws addressed in this release (CVE-2022-31658, CVE-2022-31659, CVE-2022-31659). The Cybersecurity and Infrastructure Security Agency published an advisory in May following the release of VMSA-2022-0014 warning of attack chains being leveraged against VMware targets.
Proof-of-Concept
At the time of publication, there is no PoC available specifically for CVE-2022-31656. It’s unclear whether the PoC for CVE-2022-22972 could be easily modified to exploit this vulnerability. However, the researcher who discovered CVE-2022-31656 tweeted that a PoC is “soon to follow.”
I have found vulnerabilities CVE-2022-31656 and CVE-2022-31659 leading to unauthenticated remote code execution affecting many #VMware products, such as Workspace ONE. Technical writeup and POC soon to follow.
Recommend to patch or mitigate immediately.https://t.co/DnknXFieY3 pic.twitter.com/Uu1LQmb0fQ
— Petrus Viet (@VietPetrus) August 2, 2022
Solution
Organizations should patch these vulnerabilities as soon as possible. A full breakdown of vulnerable and patched versions of all products can be found on the advisory page. VMware also notes that these releases are cumulative and applying these updates will address the flaws covered in prior VMSAs like VMSA-2022-0011 and VMSA-2022-0014.
VMware has also provided workaround information for CVE-2022-31656. The workaround could affect some functionality and should be treated as a temporary step. There are no workarounds for the other vulnerabilities addressed in this release.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear.
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.