Both VMware & experts are urging users to patch many products affected by a critical authentication bypass vulnerability that can let an attacker to gain administrative access to a system as well as exploit other flaws.
Vulnerability—for which a proof-of-concept is forthcoming—is one of a number of issues the company fixed that could lead to an attack chain.
Number of Fixes
The bug—tracked as CVE-2022-31656—earned a rating of 9.8 on the CVSS & is one of a number of fixes the company made in various products in an update released on Tues. for flaws that could easily become an exploit chain, researchers stated.
CVE-2022-31656 also certainly is the most dangerous of these vulnerabilities, & likely will become even more so as the researcher who discovered it–Petrus Viet of VNG Security–has promised in a tweet that a proof-of-concept exploit for the bug is “soon to follow,” experts outlined.
This puts in urgency for organisations affected by the issue to patch now, researchers explained.
“Given the prevalence of attacks targeting VMware vulnerabilities & a forthcoming proof-of-concept, organisations need to make patching CVE-2022-31656 a priority,” Claire Tills, Senior Research Engineer with Tenable’s Security Response Team, advised.
“As an authentication bypass, exploitation of this flaw opens up the possibility that attackers could create very troubling exploit chains.”
Specifically, CVE-2022-31656 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager & vRealize Automation.
The bug affects local domain users and requires that a remote attacker must have network access to a vulnerable user interface, according to a blog post by Tills published Tues. Once an attacker achieves this, he or she can use the flaw to bypass authentication & gain administrative access, she stated.
Also, the vulnerability is the entrance to exploiting other remote code execution (RCE) flaws addressed by VMWare’s release this week—CVE-2022-31658 and CVE-2022-31659—to form an attack chain, Tills observed.
CVE-2022-31658 is a JDBC injection RCE vulnerability that affect VMware Workspace ONE Access, Identity Manager & vRealize Automation that is earned an “important” score on the CVSS—8.0. The flaw allows a malicious player with administrator & network access to trigger RCE.
CVE-2022-31659 is an SQL injection RCE vulnerability that affects VMware Workspace ONE Access & Identity Manager & also earned a rating of 8.0 with a similar attack vector to CVE-2022-31658. Viet is credited with discovering both of these issues.
The other 6 bugs patched in the update include another RCE bug (CVE-2022-31665) rated as important; 2 privilege escalation vulnerabilities (CVE-2022-31660 & CVE-2022-31661) rated as important; a local privilege escalation vulnerability (CVE-2022-31664) rated as important; a URL Injection Vulnerability (CVE-2022-31657) rated as moderate; & a path traversal vulnerability (CVE-2022-31662) rated as moderate.
Patch Early, Patch Everything
VMware is no stranger to having to put out patches for critical bugs found in its products & has suffered its share of security issues due to the commonality of its platform across enterprise networks.
In late June, for example, US Federal Agencies warned of attackers hitting VMware Horizon & Unified Access Gateway (UAG) servers to exploit the now-infamous Log4Shell RCE vulnerability, an easy-to-exploit flaw discovered in the Apache logging library Log4J late last year & continuously targeted on VMware & other platforms since then.
Sometimes even patching has still not been enough for VMware, with attackers targeting existing flaws after the company does its due diligence to release a fix.
This situation occurred in Dec. 2020, when the US Feds warned the adversaries were actively exploiting a weeks-old bug in Workspace One Access & Identity Manager products 3 days after the vendor patched the vulnerability.
Though all signs point to the urgency of patching the latest threat to VMware’s platform, it is highly likely that even if the advice is taken, the danger will persist for the foreseeable future, observed one security professional.
Miss Other Places
Although enterprises tend to initially move quickly to patch the most urgent threats to their network, they often miss other places attackers can exploit a flaw, observed Greg Fitzgerald, Co-Founder of Sevco Security. This is what leads to persistent & ongoing attacks, he suggested.
“The most significant risk for enterprises isn’t the speed at which they are applying critical patches; it comes from not applying the patches on every asset,” Fitzgerald explained.
“The simple fact is that most organisations fail to maintain an up-to-date & accurate IT asset inventory, & the most detailed approach to patch management cannot ensure that all enterprise assets are accounted for.”