November 9, 2022

VMware Patches 3 Critical Auth-Bypass Vulnerabilities in Remote Access Tool

VMware has released security updates to address three critical severity vulnerabilities in the Workspace ONE Assist solution, which allow remote attackers to bypass authentication and gain administrative privileges.

The Vulnerabilities

•  CVE-2022-31685 (CVSS 3.1: .9.8, Critical) -A uthentication Bypass vulnerability, malicious actor with network access might gain administrative access without needing to authenticate to the application.
• CVE-2022-31686 (CVSS 3.1: 9.8, Critical) –  Broken Authentication Method vulnerability, malicious actor with network access might gain administrative access without needing to authenticate to the application.
• CVE-2022-31686 (CVSS 3.1: 9.8, Critical) – Broken Access Control vulnerability, malicious actor with network access might gain administrative access without needing to authenticate to the application.

Affected Products

• VMware Workspace ONE Assist prior to version 22.10.

Mitigation

CYREBRO recommends all user of VMware Workspace ONE Assist, to update to VMware Workspace ONE Assist 22.10.

References: VMware Advisory