Proof-of-concept exploit code is now publicly available online for a critical authentication bypass security flaw in multiple VMware products that enables attackers to gain admin privileges.
A week ago, VMware released updates to address the vulnerability (CVE-2022-31656) affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation.
Multiple other flaws were patched the same day, including a high severity SQL injection flaw (CVE-2022-31659) that allows remote attackers to gain remote code execution.
Today, VMware “confirmed malicious code that can exploit CVE-2022-31656 and CVE-2022-31659 in impacted products is publicly available” in an update to the original advisory.
VNG Security security researcher Petrus Viet, who discovered and reported the flaw, has now released a proof-of-concept (PoC) exploit and detailed technical analysis for this bug today.
He announced last week that a CVE-2022-22972 PoC would be made available this week.
Not yet exploited in the wild
“It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,” Bob Plankers, Cloud Infrastructure Security & Compliance Architect at VMware, warned last week.
“If your organization uses ITIL methodologies for change management, this would be considered an ’emergency’ change.”
Luckily, VMware says in a separate advisory that there is no evidence that these severe security bugs are being exploited in attacks.
The company provides download links for patches and detailed installation instructions on its knowledgebase website.
It also shared a temporary workaround for those who couldn’t patch vulnerable appliances immediately, requiring them to disable all users except one provisioned administrator.
As VMware servers are an attractive target, all vulnerable devices should be updated immediately or taken offline to avoid compromise since threat actors will likely soon develop their own exploits to use in attacks.
Failing to do so will ultimately lead to network breaches and more significant attacks, including ransomware deployment and data theft.
In May, VMware patched an almost identical critical bug, another authentication bypass weakness (CVE-2022-22972) found by Bruno López of Innotec Security and used by Viet as inspiration while researching the CVE-2022-31656 vulnerability.