The researcher who discovered two critical vulnerabilities in VMware ONE Workspace Access has released a proof-of-concept exploit for one of the bugs, an authentication bypass that can allow an attacker to gain admin privileges.
VMware released an advisory and update for the vulnerability (CVE-2022-31656) last week and security analysts urged organizations to install the update as soon as possible. Attackers target VMware products on a regular basis and an authentication bypass in one of the company’s products makes for a highly attractive target. At the time that VMware released its advisories on Aug. 2, there were no exploits available, but Petrus Viet, who discovered the bug, was planning to release one soon.
“Given the history of attacks targeting VMware Workspace ONE instances, organizations should apply these patches immediately,” said Claire Tills, senior research engineer with Tenable's Security Response Team, in an Aug. 2 alert. “This urgency is compounded by the fact that a proof-of-concept is forthcoming from the researcher who discovered the flaw.”
On Tuesday, the researchers posted the PoC for the vulnerability, along with a technical, step-by-step description of the bug and the exploitation process.
“VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate,” the vulnerability advisory says.
Even before the exploit was released, VMware officials were encouraging users to install the update right away.
“It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments. If your organization uses ITIL methodologies for change management, this would be considered an “emergency” change,” Bob Plankers of VMware said in a blog post.
In addition to the authentication bypass, Petrus Viet also discovered a remote code execution bug VMware ONE Access, which the company patched last week, as well. That flaw (CVE-2022-31659) is a SQL injection.
“A malicious actor with administrator and network access can trigger a remote code execution. VMware has confirmed malicious code that can exploit CVE-2022-31659 in impacted products is publicly available,” the VMware advisory says.