August 2, 2022

Critical VMware RCE & Auth Bypass Vulnerabilities Existed In The Wild

VMware has released a patch to address a critical authentication bypass vulnerability that affects local domain users in a number of products and allows unauthenticated attackers to gain administrative access.

In addition, VMware addressed a number of additional security vulnerabilities that allowed attackers to perform Remote Code Execution and elevate privileges to ‘root’ on unpatched systems.

The Critical Vulnerability

• CVE-2022-31656, (CVSS 3.1: 9.8, Critical) – Authentication bypass vulnerability affecting local domain users, A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

Affected Products

• VMware Workspace ONE Access (Access)
• VMware Workspace ONE Access Connector (Access Connector)
• VMware Identity Manager (vIDM)
• VMware Identity Manager Connector (vIDM Connector)
• VMware vRealize Automation (vRA)
• VMware Cloud Foundation
• vRealize Suite Lifecycle Manager

Mitigation

CYREBRO recommends updating the vulnerable VMware systems to their most recent versions in order to mitigate the vulnerability.

Workarounds

A possible workaround for CVE-2022-31656 is to disable all users except one provisioned administrator and log in via SSH to restart the horizon-workspace service.

However, VMware does not recommend using this workaround and claims that the only way to effectively fix the CVE-2022-31656 auth bypass vulnerability is to patch the vulnerable products.

References: VMWare Advisory