Critical authentication bypass flaw in multiple VMware products

Critical authentication bypass flaw in multiple VMware products

VMware urges customers to immediately patch a critical authentication bypass flaw affecting multiple products.

Two vulnerabilities allows attackers with backdoor access to gain admin privileges on multiple VMware products — and that’s not a good thing. 

Bruno Lopez of Innotec Security was the first to spot CVE-2022-22972, one of two vulnerabiltiies. The flaw impacts Workspace ONE Access, VMware Identity Manager (vIDM) and vRealize Automation (vRA).

The company said that “a malicious hacker with network access to the UI may be able to obtain administrative access without the need to authenticate.”

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014”, VMware warned. A full list of affected VMware products can be found below:

  • VMware Workspace One Access
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

VMware typically provides a note regarding active exploitations in its advisories. The organization didn’t mention anything this time around.

VMware announces a workaround

For those that find it impossible to patch the software immediately, VMware has provided a workaround. VMware mentioned the workaround steps one can take without downloading the patch. VMware’s measures require admins to disable all the other users except one via SSH and restart the Horizon workspace services.

However, VMware doesn’t fully support this workaround and constantly suggests that the users of products affected download the patch provided to eradicate the source problem.

In April, VMware published a similar security patch that conquered another vulnerability; a remote code execution flaw (CVE-2022-22954) in VMware Workspace and vIDM.

Attackers reverse-engineered the patch and started exploiting outdated versions within 48 hours of the release. Let’s hope this patch works differently from its predecessor.

Tip: VMware Tanzu Application Platform is now generally available