Home / About / Threat Intelligence / VMware releases updates to address multiple vulnerabilities

Overview

VMware has released updates to address multiple vulnerabilities in some of their products. Five of the eight are rated Critical. Some of them allow complete control over the device by a remote attacker, while others require more access but can be chained together to allow takeover. The bugs are in VMware Workspace ONE Access, Identity Manager (vIDM) and vRealize Automation (vRA).

Impact

An unprivileged, network-based attacker could exploit CVE-2022-22954 to execute code on the device remotely (RCE). An unprivileged, network-based attacker could bypass the authentication mechanism to execute operations (CVE-2022-22955, CVE-2022-22956). An unprivileged, network-based attacker could leak information to help with further attacks (CVE-2022-22961).

A user with local access could escalate privileges to root (CVE-2022-22960). A user with administrative access could execute code on the device (CVE-2022-22957, CVE-2022-22958). A user could be tricked into validating a malicious JDBC URI leading to code execution on the device (CVE-2022-22959).

Vulnerability Detection

Your vulnerability scanner probably has a detection for it by now.

Affected Products

VMware customers who have deployed Workspace ONE Access or any product that includes VMware Identity Manager (vIDM) components, or as an option for installation. This includes VMware Cloud Foundation, NSX-T, the VMware vRealize Suite, the VMware Cloud suites, vRealize Automation, vRealize Log Insight, and vRealize Network Insight.

Containment, Mitigations & Remediations

Update the device immediately. VMware hosted services have been updated already.

Indicators of Compromise

None listed.

Threat Landscape

A proof of concept for CVE-2022-22954 was released onto GitHub on 11th April 2022. A portion of the payload is encoded, however, the singular command provided as an example does return the /etc/passwd file from a vulnerable device. This payload can easily be modified to return other data or execute commands on the server.

Mitre Methodologies

T1190– Exploit Public-Facing Application
T1068– Exploitation for Privilege Escalation

Further Information

VMSA-2022-0011
VMSA-2022-0011: Questions & Answers