Overview
Recently, NSFOCUS CERT detected that VMware officially issued a security notice to fix multiple vulnerabilities in products such as VMware Workspace ONE Access, Identity Manager, and VMware vRealize Automation. Attackers can use these vulnerabilities to cause privilege escalation and remote code execution. At present, the official security update has been released, and relevant users are requested to take measures to protect them.
Reference link:
https://www.vmware.com/security/advisories/VMSA-2022-0021.html
Key Vulnerabilities
VMware Authentication Bypass Vulnerability (CVE-2022-31656):
An authentication bypass vulnerability exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users. An attacker with network access to the UI could gain administrative access without requiring authentication. The CVSS score is 9.8.
VMware JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658/CVE-2022-31665):
Two remote code execution vulnerabilities exist in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. An attacker with administrator and network access could exploit the vulnerability for remote code execution. The CVSS scores were 8.0 and 7.6, respectively.
VMware SQL Injection Remote Code Execution Vulnerability (CVE-2022-31659):
A remote code execution vulnerability exists in VMware Workspace ONE Access and Identity Manager. An attacker with administrative and network access rights can exploit this vulnerability to write malicious files through SQL injection and ultimately achieve arbitrary code execution. CVSS score of 8.0.
VMware Local Privilege Escalation Vulnerability (CVE-2022-31660/CVE-2022-31661/CVE-2022-31664):
Two privilege escalation vulnerabilities exist in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. An attacker with local privileges could exploit this vulnerability to escalate privileges to root. CVSS score of 7.8.
Scope of Impact
Affected versions
- VMware Workspace ONE Access(Access) V21.08.0.0
- VMware Workspace ONE Access(Access) V21.08.0.1
- VMware Identity Manager(vIDM) V3.3.4
- VMware Identity Manager(vIDM) V3.3.5
- VMware Identity Manager(vIDM) V3.3.6
- VMware Workspace ONE Access Connector(Access Connector) V21.08.0.0
- VMware Workspace ONE Access Connector(Access Connector) V21.08.0.1
- VMware Workspace ONE Access Connector(Access Connector) V22.05
- VMware Identity Manager Connector(vIDM Connector) V3.3.4
- VMware Identity Manager Connector(vIDM Connector) V3.3.6
- VMware Identity Manager Connector(vIDM Connector) V19.03.0.1
- VMware vRealize Automation(vRA) V7.6
- VMware Cloud Foundation (v(vRA)IDM) V4.2.x
- VMware Cloud Foundation (v(vRA)IDM) V4.3.x
- VMware Cloud Foundation (v(vRA)IDM) V4.4.x
- vRealize Suite Lifecycle Manager (vIDM) V8.x
- VMware Cloud Foundation (vRA) V3.x
Mitigation
Official upgrade
At present, the official security patch has been released for the above vulnerabilities. Affected users are requested to install the update as soon as possible for protection. The repair patches and documents for the corresponding product version are as follows:
FAQ: https://core.vmware.com/vmsa-2022-0021-questions-answers-faq#
Temporary mitigation
For VMware authentication bypass vulnerability (CVE-2022-31656), you can refer to the official measures for temporary mitigation:
https://www.vmware.com/security/advisories/VMSA-2022-0021.html
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.