This vulnerability, for which a proof-of-concept is forthcoming, is one of a series of flaws fixed by the company that could lead to a chain of attacks.
VMware and security experts are urging users to patch multiple products affected by a critical authentication bypass flaw that could allow an attacker to gain administrative access to a system and exploit additional vulnerabilities.
The flaw, identified as CVE-2022-31656, received a CVSS score of 9.8 and is one of several fixes the company made in various products in an update released Tuesday for flaws that could easily become an exploit chain, according to researchers.
CVE-2022-31656 is also unquestionably the most dangerous of these vulnerabilities and is likely to become even more so as the researcher who discovered it, Petrus Viet of VNG Security, has promised in a tweet that proof-of-concept exploits for the flaw will be available “soon,” according to experts.
This increases the urgency for organizations affected by the flaw to apply a patch immediately, according to researchers.
“Given the prevalence of attacks against VMware vulnerabilities and an upcoming proof-of-concept, organizations must prioritize patching CVE-2022-31656,” said Claire Tills, a senior research engineer with Tenable’s Security Response Team. “As an authentication bypass, exploiting this flaw allows attackers to potentially create very troublesome exploit chains.”
Possibility of Attack Chain
Specifically, VMware Workspace ONE Access, Identity Manager, and vRealize Automation are affected by the authentication bypass vulnerability CVE-2022-31656.
According to a Tuesday blog post by Tills, the flaw affects local domain users and requires a remote attacker to have network access to a vulnerable user interface. Once an attacker achieves this, she explained, he or she can exploit the vulnerability to bypass authentication and gain administrative access.
Tills noted that the vulnerability is the entry point for exploiting other remote code execution (RCE) flaws patched by VMWare this week—CVE-2022-31658 and CVE-2022-31659—to form an attack chain.
CVE-2022-31658 is a CVSS 8.0 “important” rated JDBC injection RCE vulnerability that affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation. RCE can be triggered by a malicious actor with administrator and network access.
CVE-2022-31659 is a SQL injection RCE vulnerability affecting VMware Workspace ONE Access and Identity Manager with a similar attack vector to CVE-2022-31658 and a rating of 8.0. It is credited to Viet that he discovered both of these flaws.
The remaining six vulnerabilities addressed by the update are an additional RCE vulnerability (CVE-2022-31665) rated as critical, two privilege escalation vulnerabilities (CVE-2022-31660 and CVE-2022-31661) rated as critical, a local privilege escalation vulnerability (CVE-2022-31664) rated as critical, a URL Injection Vulnerability (CVE-2022-31657) rated as moderate, and a path traversal vulnerability (CVE-2022-3166
Early Corrections for Everything
VMware is no stranger to having to rush out patches for critical bugs found in its products, and its platform’s prevalence on enterprise networks has caused it its fair share of security issues.
In late June, for instance, federal agencies warned of attackers targeting VMware Horizon and Unified Access Gateway (UAG) servers to exploit the now-infamous Log4Shell RCE vulnerability, an exploitable flaw discovered in the Apache logging library Log4J late last year and persistently targeted on VMware and other platforms.
Indeed, patching has not always been sufficient for VMware, as attackers target existing vulnerabilities even after the company has released a patch.
This scenario occurred in December 2020, when the federal government reported that adversaries were actively exploiting a vulnerability in Workspace One Access and Identity Manager products three days after the vendor patched the flaw.
Even though all indications point to the urgency of patching the most recent threat to VMware’s platform, the threat will likely persist for the foreseeable future even if the advice is followed, observed one security expert.
Greg Fitzgerald, the co-founder of Sevco Security, remarked in an email to Threatpost that, while businesses generally move swiftly to patch the most immediate threats to their network, they frequently overlook other places where attackers can exploit a flaw. This, he said, is what leads to persistent and ongoing attacks.
“The greatest risk for businesses is not the rate at which they apply critical patches; it is failing to apply patches to all assets,” Fitzgerald said. “It is a simple fact that the majority of organizations do not maintain an accurate and up-to-date IT asset inventory, and even the most meticulous approach to patch management cannot guarantee that all enterprise assets are accounted for.”