Get in Touch
VMware has released updates to address multiple vulnerabilities in some of their products. Five of the eight are rated Critical. Some of them allow complete control over the device by a remote attacker, while others require more access but can be chained together to allow takeover. The bugs are in VMware Workspace ONE Access, Identity Manager (vIDM) and vRealize Automation (vRA).
An unprivileged, network-based attacker could exploit CVE-2022-22954 to execute code on the device remotely (RCE). An unprivileged, network-based attacker could bypass the authentication mechanism to execute operations (CVE-2022-22955, CVE-2022-22956). An unprivileged, network-based attacker could leak information to help with further attacks (CVE-2022-22961).
A user with local access could escalate privileges to root (CVE-2022-22960). A user with administrative access could execute code on the device (CVE-2022-22957, CVE-2022-22958). A user could be tricked into validating a malicious JDBC URI leading to code execution on the device (CVE-2022-22959).
Your vulnerability scanner probably has a detection for it by now.
VMware customers who have deployed Workspace ONE Access or any product that includes VMware Identity Manager (vIDM) components, or as an option for installation. This includes VMware Cloud Foundation, NSX-T, the VMware vRealize Suite, the VMware Cloud suites, vRealize Automation, vRealize Log Insight, and vRealize Network Insight.
Containment, Mitigations & Remediations
Update the device immediately. VMware hosted services have been updated already.
Indicators of Compromise
A proof of concept for CVE-2022-22954 was released onto GitHub on 11th April 2022. A portion of the payload is encoded, however, the singular command provided as an example does return the /etc/passwd file from a vulnerable device. This payload can easily be modified to return other data or execute commands on the server.