CVE-2022-31656 – Critical Authentication Bypass Vulnerability in Multiple VMware Products

Share :

On Tuesday, August 2, 2022, VMware disclosed a critical-severity authentication bypass vulnerability (CVE-2022-31656) impacting multiple VMware products, including VMware’s Workspace ONE Access, Identity Manager (vIDM), and vRealize automation. If successfully exploited, the vulnerability could allow a threat actor with network access to the user interface to obtain administrative access without needing to authenticate.  

In addition to the critical-severity vulnerability, VMware disclosed several high and medium severity vulnerabilities, which could lead to Remote Code Execution (RCE), URL injection, Local Privilege Escalation (LPE), Cross-site Scripting (XSS), or path traversal if successfully exploited. All of the vulnerabilities were discovered and responsibly reported to VMware by security researchers and security hotfixes are available to remediate all vulnerabilities.  

Affected Products: 

  • VMware Workspace ONE Access (Access) 
  • VMware Workspace ONE Access Connector (Access Connector) 
  • VMware Identity Manager (vIDM) 
  • VMware Identity Manager Connector (vIDM Connector)
  • VMware vRealize Automation (vRA) 
    • Impacted if vIDM is used within the vRA environment 
  • VMware Cloud Foundation (VCF) 
    • Impacted if vIDM is used within the VCF environment 
  • vRealize Suite Lifecycle Manager (vRSLCM) 
    • Impacted if vIDM is used within the vRSLCM environment 

Petrus Viet, a security researcher that responsibly disclosed three of the patched vulnerabilities, including CVE-2022-31656, plans to publish a technical write up and PoC for CVE-2022-31656 and CVE-2022-31659 in the near future.  

By chaining both vulnerabilities together, a threat actor would be able to obtain administrative access and the ability to trigger remote code execution. Upon the technical write up publication, we assess threat actors will quickly produce multiple PoC exploits to target organizations still vulnerable. 

Historically, threat actors, including state-sponsored groups, have exploited similar vulnerabilities in VMware products to obtain initial access and conduct intrusions. We strongly recommend review the recommendations below for guidance on how to properly mitigate these vulnerabilities.  

CVE Identifier  Vulnerability Type  CVSS v3  Severity 
CVE-2022-31656  Authentication Bypass  9.8  Critical 
CVE-2022-31658  JDBC Injection RCE  8.0  High 
CVE-2022-31659  SQL Injection RCE  8.0  High 
CVE-2022-31660,
CVE-2022-31661 
Local Privilege Escalation  7.8  High 
CVE-2022-31664  Local Privilege Escalation  7.8  High 
CVE-2022-31665  JDBC Injection RCE  7.6  High 
CVE-2022-31657  URL Injection  5.9  Medium 
CVE-2022-31662  Path Traversal  5.3  Medium 
CVE-2022-31663  Cross-site Scripting  4.7   Medium 

 

Recommendations for CVE-2022-31656

Recommendation #1: Install Vendor Supplied Hotfixes for Affected Products 

We recommend applying the latest relevant security hotfixes to the impacted products to mitigate the vulnerabilities. 

Product    Version(s)    Hotfix 
VMware Workspace ONE Access Appliance    21.08.0.1     HW-160130-Appliance-21.08.0.1 
VMware Workspace ONE Access Appliance    21.08.0.0   HW-160130-Appliance-21.08.0.0 
VMware Identity Manager Appliance & Connector   3.3.6   HW-160130-Appliance-3.3.6 

HW-160130-Connector-3.3.6 

VMware Identity Manager Appliance & Connector  3.3.5   HW-160130-Appliance-3.3.5 

HW-160130-Connector-3.3.5 

VMware Identity Manager Appliance & Connector   3.3.4   HW-160130-Appliance-3.3.4 

HW-160130-Connector-3.3.4 

VMware Identity Manager Connector  19.03.0.1    HW-160130-Connector-19.03.0.1 

Recommendation #2: Implement Vendor Supplied Workarounds if Unable to Patch 

If you are unable to patch CVE-2022-31656 immediately, we recommend implementing the available workaround until your organization can properly remediate the vulnerability by applying the security hotfix. Please note that there are no applicable workarounds for the other disclosed vulnerabilities. The workaround instructions are available here: 

https://kb.vmware.com/s/article/89084  

Note: VMware notes some functional impact when the workaround is deployed. 

References 

Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter