Skip links

VMware patches critical ‘make me admin’ auth bypass bug, plus nine other flaws

VMware has fixed a critical authentication bypass vulnerability that hits 9.8 out of 10 on the CVSS severity scale and is present in multiple products.

That flaw is tracked as CVE-2022-31656, and affects VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation. It was addressed along with nine other security holes in this patch batch, published Tuesday.

Here’s the bottom line of the ‘31656 bug, according to VMware: “A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.” Quite a nice way to get admin-level control over a remote system.

The critical vulnerability is similar to, or perhaps even a variant or patch bypass of, an earlier critical authentication bypass vulnerability (CVE-2022-22972) that also rated 9.8 in severity and VMware fixed back in May. Shortly after that update was issued, CISA demanded US government agencies pull the plug on affected VMware products if patches can’t be applied.

While the virtualization giant isn’t aware of any in-the-wild exploits (so far at least) of the newer vulnerability, “it is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,” VMware warned in an advisory. “If your organization uses ITIL methodologies for change management, this would be considered an ’emergency’ change.” 

In addition to the software titan and third-party security researchers urging organizations to patch immediately, Petrus Viet, the bug hunter who found and reported the flaw, said he’ll soon release a proof-of-concept exploit for the bug. So to be perfectly clear: stop what you are doing and immediately assess and if necessary patch this flaw before miscreants find and exploit it, which they are wont to do with VMware vulns.

Tenable’s Claire Tills, a senior research engineer with the firm’s security response team, noted that CVE-2022-31656 is especially worrisome in that a miscreant could use it to exploit other bugs that VMware disclosed in this week’s security push.

“It is crucial to note that the authentication bypass achieved with CVE-2022-31656 would allow attackers to exploit the authenticated remote code execution flaws addressed in this release,” she wrote.

She’s referring to two remote code execution (RCE) flaws, CVE-2022-31658 and CVE-2022-31659, also discovered by Petrus Viet that would allow an attacker with admin-level network access to remotely deploy malicious code on a victim’s machine. Thus someone could use the ‘31656 to login with administrative powers, and then exploit the other bugs to pwn a device.

Both of these, ‘31658 and ‘31659, are dubbed “important” by VMware and ranked with a CVSS score of 8.0. And similar to the critical vuln that can be used in tandem with these two RCE, both affect VMware Workspace ONE Access, Identity Manager and vRealize Automation products.

In other patching news, the rsync project released updates to fix a vulnerability, tracked as CVE-2022-29154, that could allow miscreants to write arbitrary files inside directories of connecting peers.

Rsync is a tool for transferring and syncing files between remote and local machines, and exploiting this vulnerability could allow “a malicious rysnc server (or Man-in-The-Middle attacker) [to] overwrite arbitrary files in the rsync client target directory and subdirectories,” according to researchers Ege Balci and Taha Hamad, who discovered the bug.

That means a malicious server or MITM could overwrite, say, a victim’s ssh/authorized_keys file.

While these three VMware vulns deserve top patching priority, there are some other nasty bugs in the bunch. This includes three local privilege-escalation vulnerabilities (CVE-2022-31660, CVE-2022-31661 and CVE-2022-31664) in VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

All three received CVSS scores of 7.8 and successful exploits would allow criminals with local access to escalate privileges to root — and from there, pretty much do whatever they want, such as steal information, install a backdoor, inject a trojan, or shut down the system entirely.

Rapid7 security researcher Spencer McIntyre reported two of these two flaws (CVE-2022-31660 and CVE-2022-31661) to VMware, while Steven Seeley of Qihoo 360 Vulnerability Research Institute found CVE-2022-31664.

Additionally, VMware disclosed another RCE vuln in VMware Workspace ONE Access, Identity Manager and vRealize Automation. This one, tracked as CVE-2022-31665, received a CVSS score of 7.6 and it requires admin access to trigger remote code execution. ®