August 2, 2022
Critical VMware RCE & Auth Bypass Vulnerabilities Existed In The Wild
VMware has released a patch to address a critical authentication bypass vulnerability that affects local domain users in a number of products and allows unauthenticated attackers to gain administrative access.
In addition, VMware addressed a number of additional security vulnerabilities that allowed attackers to perform Remote Code Execution and elevate privileges to ‘root’ on unpatched systems.
The Critical Vulnerability
- CVE-2022-31656, (CVSS 3.1: 9.8, Critical) – Authentication bypass vulnerability affecting local domain users, A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
- VMware Workspace ONE Access (Access)
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
CYREBRO recommends updating the vulnerable VMware systems to their most recent versions in order to mitigate the vulnerability.
A possible workaround for CVE-2022-31656 is to disable all users except one provisioned administrator and log in via SSH to restart the horizon-workspace service.
However, VMware does not recommend using this workaround and claims that the only way to effectively fix the CVE-2022-31656 auth bypass vulnerability is to patch the vulnerable products.
References: VMWare Advisory