VMware customers were notified today that a major authentication bypass issue “affecting local domain users” in numerous products might be exploited to get admin rights. Bruno López from Innotec Security uncovered the vulnerability (CVE-2022-22972) and observed that it affects Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.
“A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate,” the company explains. “This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014,” VMware warned on Wednesday.” The ramiﬁcations of this vulnerability are serious. Given the severity of the vulnerability, we strongly recommend immediate action.”
The business also fixed a second high-severity local privilege escalation security issue (CVE-2022-22973). It used to allow attackers to elevate rights on unpatched systems to ‘root.’ The following VMware products are affected by these security flaws:
- vRealize Suite Lifecycle Manager
- VMware Workspace ONE Access (Access)
- VMware vRealize Automation (vRA)
- VMware Identity Manager (vIDM)
- VMware Cloud Foundation
While most VMware security advisories contain a warning about active exploitation, VMware did not include such information in the latest VMSA-2022-0014 alert. VMware’s knowledgebase website offers links to patch downloads and installation instructions. VMware also provides interim fixes for administrators who cannot patch their devices right away.
The steps detailed here need administrators to deactivate all users except one provisioned administrator and connect via SSH to restart the horizon-workspace service. However, the business does not encourage using this workaround, claiming that patching the affected products is the only solution to resolve the CVE-2022-22972 problem completely.
According to VMware, the patches supplied in VMSA-2021-0014 are the sole option to eliminate the vulnerabilities from your environment. While workarounds are easy, they do not address the vulnerabilities and may bring extra difficulties that patching would not. While you have the option of patching or using a workaround, VMware always advises patching as the easiest and most reliable approach to handle this sort of issue.
Here is a help paper with a list of questions and answers about the recently-fixed major vulnerability. In April, VMware corrected another severe vulnerability, a remote code execution flaw (CVE-2022-22954), in VMware Workspace ONE Access and VMware Identity Manager. Within a week of a proof-of-concept vulnerability being disclosed online, attackers began using it in attacks to run coinminers and implant backdoors.