On November 8, 2022, VMware released Workspace ONE Assist 22.10 to patch three critical vulnerabilities that enabled remote actors to bypass authentication and elevate privileges to administrator. The flaws are tracked under the following CVEs:
- CVE-2022-31685 (authentication bypass)
- CVE-2022-31686 (broken authentication method)
- CVE-2022-31687 (broken authentication control)
On top of these three vulnerabilities, VMware also patched a reflected XSS vulnerability (CVE-2022-31688) and a session fixation vulnerability (CVE-2022-31689). The former of which would allow attackers to inject JavaScript code in the target user’s window and the latter of which allows authentication after obtaining a valid session token.
VMware Workspace ONE Assist is an application that allows remote control, screensharing, file system management, and remote command execution. The vulnerabilities were all found and reported by researchers at REQON IT-Security. These vulnerabilities follow similar vulnerabilities that were reported in multiple VMware products in August and May.
Analyst Notes
So far this year, VMware has patched critical authentication bypass vulnerabilities approximately every three months. This article highlights the importance of keeping systems up to date in an enterprise environment. Not performing timely updates could lead to software quickly becoming outdated, which could allow for an actor to gain administrator privileges and execute remote code. It is recommended to monitor any suspicious commands or downloads following the execution of Workspace ONE Assist.
Additionally, while VMware doesn’t have a bug bounty program, these repetitive vulnerabilities highlight the importance of external security researchers for a large organization. Even with a company as large as VMware that likely has employees focused on DevSecOps and Application security, there could still be vulnerabilities that get past internal testing. External security researchers are an extra layer of security, often finding many vulnerabilities and reporting them to organizations before they can be exploited by malicious actors.
https://www.bleepingcomputer.com/news/security/vmware-fixes-three-critical-auth-bypass-bugs-in-remote-access-tool/
