CVE-2022-31656 – Critical VMware Vulnerability

THE THREAT

On August 2^nd, 2022, VMware disclosed a new critical vulnerability impacting multiple VMware products. The vulnerability, tracked as CVE-2022-31656 (CVSS: 9.8) is an authentication bypass vulnerability. A threat actor with previous network access may exploit CVE-2022-31656 in order to obtain administrative access without the need to authenticate. The vulnerability impacts VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

Exploitation of the CVE-2022-31656 has not been identified at this time. Proof-of-Concept (PoC) exploit code is expected to be released in the near future. The eSentire Threat Intelligence team asses with high confidence that the release of PoC code will result in real- world attacks.

What we’re doing about it

• eSentire Managed Vulnerability Service (MVS) will add plugins for this vulnerability when they become available
• eSentire security teams are tracking this vulnerability for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches released by VMware
• If patching is not immediately possible, VMware has released alternative mitigations that should be applied until security patches are deployed

Additional information

CVE-2022-31656 is believed to be a patch bypass or variant of a previous easily exploitable authentication bypass vulnerability tracked as CVE-2022-22972. The researcher that discovered and reported CVE-2022-31656 to VMware has publicly stated that functional PoC exploit code and a technical write up on the vulnerability will be released soon. The availability of both PoC code and technical details significantly increases the likelihood of exploitation by threat actors in the wild.

In total, VMware addressed ten separate vulnerabilities in this disclosure. Other vulnerability types from the release include Remote Code Execution (RCE), Privilege Escalation, URL Injection, Path Traversal, and Cross-Site Scripting. CVE-2022-31656 is the most critical vulnerability from the release, but all vulnerabilities should be patched as soon as possible.

Impacted VMware Products:

• Access - versions 21.08.0.0 and 21.08.0.1
• vIDM - versions 3.3.4, 3.3.5 and 3.3.6
• vRealize Automation (vIDM) - version 7.6
• VMware Cloud Foundation (vIDM) - versions 4.3.x, 4.2.x and 4.4.x
• vRealize Suite Lifecycle Manager (vIDM) - version 8.x
• VMware Cloud Foundation (vRA) - version 3.x

References:

[1] https://www.vmware.com/security/advisories/VMSA-2022-0021.html
[2] https://kb.vmware.com/s/article/89084
[3] https://twitter.com/VietPetrus/status/1554485970514608128
[4] https://www.vmware.com/security/advisories/VMSA-2022-0014.html