www.belgium.be Logo of the federal government

Warning – VMware products vulnerable to authentication bypass

Reference: 
Advisory #2022-015
Version: 
1.0
Affected software: 
VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
VMware vRealize Automation (vRA)
VMware Cloud Foundation
vRealize Suite Lifecycle Manager
Type: 
Authentication Bypass (CVE-2022-22972) & Privilege escalation (CVE-2022-22973)
CVE/CVSS: 

CVE-2022-22972 (CVSSv3: 9.8/10)
CVE-2022-22973
 (CVSSv3: 7.8/10)

Sources

VMware: https://www.vmware.com/security/advisories/VMSA-2022-0014.html

Risks

A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. This can lead to a full compromise of the affected systems. (CVE-2022-22972)

A malicious actor with local access can escalate privileges to gain administrator privileges. (CVE-2022-22973)

Description

On the 19th of May, VMware published an advisory for two vulnerabilities. Multiple VMware products are vulnerable to an authentication bypass. This allows an actor to gain administrator level access to the systems. The second vulnerability allows an authenticated user to escalate their privileges to gain administrator level access.

No details are given on the exploits themselves. We know that both vulnerabilities have a low attack complexity. We expect threat actors to start abusing these vulnerabilities soon. Last month’s critical vulnerabilities (VMSA-2022-0011 advisory) were reverse engineered and exploited within 48 hours after the patch was released according to CISA.

Recommended Actions

The Centre for Cyber Security Belgium recommends administrators of VMware systems to check if their devices are affected according to the respective security advisories. If an update is available, we urge administrators to prioritize patching these devices as soon as possible.

References

Source name

Source link

The Record

https://therecord.media/cisa-issues-directive-for-exploited-vmware-bug-after-ir-team-deployed-to-large-org/

CISA

https://www.cisa.gov/emergency-directive-22-03

VMware

https://www.vmware.com/security/advisories/VMSA-2022-0011.html