Governance & Risk Management , Patch Management

Patch Alert: Exploit Code Publicly Released for VMware Flaws

Recently Disclosed Vulnerabilities Allow for Remote Takeover of Multiple Products
Patch Alert: Exploit Code Publicly Released for VMware Flaws

Virtualization giant VMware is warning users to immediately patch a range of its access and identity management products now that researchers have published proof-of-concept code for exploiting an authentication bypass allowing attackers to gain admin privilege.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The company says it has yet to see in-the-wild attacks using the exploit. VMware on Aug. 2 warned that 10 newly detailed flaws are present in its Workspace ONE Access, VMware Identity Manager - aka vIDM, vRealize Lifecycle Manager, vRealize Automation and VMware Cloud Foundation products. The company warns that not all products are issued in just stand-alone versions; some can be optional add-ons to other products.

One of the most critical flaws, affecting multiple products, is the authentication bypass vulnerability designated CVE-2022-31656, which an attacker could use to gain administrative access to the systems without having to authenticate.

"This critical vulnerability should be patched or mitigated immediately," VMware warns in a FAQ.

Code for exploiting two of the flaws has been publicly released by the security researcher "Petrus Viet," who initially reported the flaws to VMware.

VMware warns the flaws can be exploited not just to facilitate authentication bypass but also remote code execution, allowing an attacker to remotely execute dangerous commands, and privilege escalation vulnerabilities, which would allow an attacker to gain root access.

Follows VMSA-2022-0014 Alert From May

The 10 newly discovered flaws appear to have resulted from Petrus Viet probing the flaws that were publicly disclosed earlier this summer. A May alert, VMSA-2022-0014, details separate flaws in the same set of products. Some of those vulnerabilities can be remotely exploited to seize control of the systems.

"When a security researcher finds a vulnerability, it often draws the attention of other security researchers who bring different perspectives and experience to the research," VMware says.

In May, VMware detailed workarounds that would protect users against the flaws that it detailed in VMSA-2022-0014.

It says those workarounds protect against the newly reported, critical vulnerability, CVE-2022-31656, "but not the additional, less-severe vulnerabilities that are disclosed in VMSA-2022-0021."

Accordingly, "we urge patching of the Workspace ONE Access/Identity Manager components instead of relying on workarounds," VMware says.

When VMware released its May security alert and patches, the vulnerabilities it detailed were already being actively exploited by attackers in the wild.

At the time, the U.S. Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring all federal agencies to patch the flaws, which are designated as CVE-2022-22954 and CVE-2022-22960.

CISA warned in May that the vulnerabilities were already being actively exploited by multiple groups, including nation-state hacking groups. It said attackers appeared to have found the flaws by reverse-engineering an April 6 security update from VMware.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.