Major authentication bypass vulnerability found in numerous VMware product (30th May 2022)

Ref# AL2022_33 | Date: May 30th 2022

Description  

VMware Workspace ONE Access, Identity Manager, and vRealize Automation have received security upgrades to address the CVE-2022-22972 an authentication bypass vulnerability. 

Summary  

Customers have been notified that a major authentication bypass vulnerability affecting local domain users in numerous VMware products must be patched right away. Without having to authenticate, a malicious actor with network access to the UI (User Interface) may be able to gain administrative access. 

How it works    

Attackers are expected to swiftly construct a proof-of-concept (PoC – the goal is to see if an idea can be transformed into a reality.) exploit for CVE-2022-22972 and begin scouring the internet for susceptible instances 

The CVE-2022-22972 vulnerability is a straightforward Host header alteration vulnerability. The POC performs requests to the vCloud Automation Center (vCAC) endpoint in the same manner as a browser would, then parses the login page to extract these hidden values. The body of the final POST is then encoded with these hidden fields, with the Host header set to the login server. After that, the POC parses the response for authentication cookies. These cookies can be used to carry out operations in the name of the selected user. Bypassing authentication is possible using this script. 

Recommendations      

It is recommended that users should immediately update to the latest versions of VMware products (patched versions).  

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.   

 PDF Download: AL2022_33 Major authentication bypass vulnerability found in numerous VMware  products.pdf

References