The IT Nerd

The attack team at Horizon3.ai has successfully reproduced CVE-2022-22972 affecting multiple VMware products. The vulnerability allows malicious actors to gain administrative access to VMware Workspace ONE Access, Identity Manager and vRealize Automation. The fact that this was reproduced by Horizon3.ai is good for Horizon3.ai, but bad for anyone using the affected products as that means that threat actors can do the same. Then they can weaponize this.

Zach Hanley, Chief Attack Engineer, Horizon3.ai:

“Last week VMware released VMware Security Advisory – 0014 which details a critical vulnerability, CVE-2022-22972, which allows a remote attacker to bypass authentication for VMware Workspace ONE, vIDM, and vRA. This vulnerability can lead to attackers gaining administrative rights on the VMware applications and may also lead to root level access on the appliances if chained with CVE-2022-22973. 

“Coinciding with VMware’s security advisory, CISA announced an Emergency Directive mandating that all government agencies patch or mitigate affected products by May 23, 2022. This 5 day remediation window was deemed necessary given the critical nature of the applications and rapid weaponization of previous CVEs. Currently, no other proof-of-concepts have been announced and no reports of in-the-wild exploitation have been noted by threat intelligence organizations. 

“A quick search on Shodan.io for the affected VMware applications returns a pretty low count of organizations that expose them to the internet. Of note, the healthcare, education industry, and state government all seem to be a fair amount of the types of organizations that have exposures – putting them at larger risk for current and future exploitation.

“Organizations should address these issues by immediately following the guidance within the VMware Security Advisory. 

“We will likely be releasing the technical details at the end of this week. The technical details will include analyzing the patch to understand how an attacker may have previously abused this code path.

“Given that it took us about a week to develop a PoC, we fully expect motivated attackers to have already developed a PoC and began exploiting it. We also plan on releasing a minimal PoC at the same time.”

This issue received a fix last Wednesday as described above. I strongly advise that if you are running the affected VMware products, that you patch everything immediately if you haven’t already. The list of affected products are:

• VMware Workspace ONE Access (Access)
• VMware Identity Manager (vIDM)
• VMware vRealize Automation (vRA)
• VMware Cloud Foundation
• vRealize Suite Lifecycle Manager

There is also a workaround detailed here for those who can’t patch all the things immediately.

This entry was posted on May 24, 2022 at 2:45 pm and is filed under Commentary with tags horizon3.ai, VMWare. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.