VMware Workspace ONE Access, Identity Manager, and vRealize Automation have received security upgrades to address the CVE-2022-22972 an authentication bypass vulnerability.
Customers have been notified that a major authentication bypass vulnerability affecting local domain users in numerous VMware products must be patched right away. Without having to authenticate, a malicious actor with network access to the UI (User Interface) may be able to gain administrative access.
How it works
Attackers are expected to swiftly construct a proof-of-concept (PoC – the goal is to see if an idea can be transformed into a reality.) exploit for CVE-2022-22972 and begin scouring the internet for susceptible instances
The CVE-2022-22972 vulnerability is a straightforward Host header alteration vulnerability. The POC performs requests to the vCloud Automation Center (vCAC) endpoint in the same manner as a browser would, then parses the login page to extract these hidden values. The body of the final POST is then encoded with these hidden fields, with the Host header set to the login server. After that, the POC parses the response for authentication cookies. These cookies can be used to carry out operations in the name of the selected user. Bypassing authentication is possible using this script.
It is recommended that users should immediately update to the latest versions of VMware products (patched versions).
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
CVE-2022-22972: VMware Patches Additional Workspace ONE Access Vulnerabilities (VMSA-2022-0014). (2022, 26 May). Retrieved from Tenable. https://www.tenable.com/blog/cve-2022-22972-vmware-patches-additional-workspace-one-access-vulnerabilities-vmsa-2022-0014
Gatlan, S. (2022, 26 May). Exploit released for critical VMware auth bypass bug, patch now. Retrieved from BleepingComputer. https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-vmware-auth-bypass-bug-patch-now/
Paganini, P. (2022, 27 May). Experts released PoC exploit code for VMware CVE-2022-22972 flaw. Retrieved from Security Affairs. https://securityaffairs.co/wordpress/131698/hacking/poc-exploit-code-vmware-cve-2022-22972.html
Plankers, B. VMSA-2022-0014: Questions & Answers | VMware. Retrieved from The Cloud Platform Tech Zone. https://core.vmware.com/vmsa-2022-0014-questions-answers-faq#section1