On August 2nd, 2022, VMware issued an advisory (VMSA-2022-0021) for ten vulnerabilities, ranging from Moderate to Critical severity, which impact multiple products and allow the possible exploitation of authentication bypass, remote code execution (RCE), SQL injection, and root privilege escalation flaws.
One week later, on August 9th, VNG Security researcher Petrus Viet released a proof-of-concept (PoC) demonstrating the successful exploitation of the authentication bypass vulnerability (CVE-2022-31656) via network access to a vulnerable user interface. By bypassing authentication, a threat actor could gain administrative access to sensitive systems and environments and exploit the RCE vulnerability (CVE-2022-31659) using malicious code that is publicly available. VMware recommends organizations immediately patch vulnerable systems.
At the time of this writing, there are no reports of active exploitation of CVE-2022-31656 or CVE-2022-31659 in-the-wild. However, the Cyber Fusion Center (CFC) expects exploitation of these vulnerabilities in the near future. As such, the CFC strongly recommends that organizations leveraging impacted VMware products apply patches or temporary mitigations as soon as possible
Please refer to the following sections for technical analysis, remediation, and mitigation steps regarding CVE-2022-31656 and CVE-2022-31659.
- VMware® Workspace ONE Access
- VMware® Identity Manager
- VMware® vRealize Automation
Prior to CVE-2022-31656 and CVE-2022-31659, a similar authentication bypass vulnerability impacted VMware Workspace ONE Access: CVE-2022-22972 (disclosed in May 2022). This vulnerability, as well as other CVEs detailed in the VMware security advisory, VMSA-2022-0011, was covered in a recent Kudelski Security Advisory, High Severity VMware Vulnerabilities Under Active Exploitation.
The VMware authentication bypass vulnerability, CVE-2022-22972, allows for manipulation of the LoginController, a controller responsible for handling web-logins as well as basic redirects, and the authentication adapter, LocalPasswordAuthAdapter. By imputing an arbitrary host in the Host header. To address the issue, VMware developers implemented a HostHeaderFilter, which is applied to all URL patterns. This new class is designed to block all requests with a host header that does not directly point to the server, such as arbitrary host names.
CVE-2022-31656 is similar to CVE-2022-22972 in that it allows for the manipulation of another Java web filter, UrlRewriteFilter, which is responsible for mapping requests to internal servlets. By leveraging regex found within WEB-INF/urlrewrite.xml file and crafting a specific request to return the RequestDispatcher and servletPath for a given resource, it is possible to access files in the WEB-INF/ directory.
RequestDispatcher.forward allows for passing requests from one servlet to another. Combined with mapping a custom callback request with UrlRewriteFilter, it is possible to bypass the recently implemented HostHeaderFilter to reach the error function LocalPasswordAuthAdapter.login needed for authentication bypass.
Figure 1: The path for authentication bypass (CVE-2022-31656).
Source: The Greynoise Team. (2022)
The following image illustrates how the CVE-2022-31656 Authentication Bypass exploit occurs, as compared to a typical filter chain configuration utilized in Java Web Applications.
Figure 2: CVE-2022-31656 exploitation compared to typical filter chain configuration.
After successful authentication bypass and exploitation of CVE-2022-31656, it is possible for a threat actor to locate the path housing the TenatMigrationResource.migrateTenate function by searching through config files on the compromised system. In the PoC published by Viet, this was done by first locating an API in the form of /SAAS/jersey/manager/api/**.
Calling migrationInfo.getSourceDestiationInfo(), inputs can be entered for a designated target hostname, username, and password.
Figure 3: Custom inputs designating target hostname, username, and password values.
Source: Viet, P. (2022)
Successful authentication and authorization of the source and destination servers allows for a threat actor to perform OS command injection by passing the exec function in the form of an array.
At the time of this writing, there are no reports of active exploitation of CVE-2022-31656 or CVE-2022-31659 in-the-wild. However, it is highly recommended patching affected systems for CVE-2022-31656 and CVE-2022-31659 immediately, as both vulnerabilities represent substantial organizational risk in the form of exploitation pathways for ransomware, data loss/exfiltration, etc.
VMware has released patches for affected products and components. The patches, as well as FAQs and version info can be found on the VMware site:
If emergency patching is not a viable option currently, consider disabling all users except for a single provisioned administrator:
- Login to the Microsoft SQL Server where the Workspace ONE Access database is deployed. You can use SQL Server Management Studio or a similar tool.
- Take a backup of the Workspace ONE Access database.
- Run the provided SQL queries against the Workspace ONE Access database.
- Run View-Active-Admin-users.sql to see all administrators (readonly administrators also included) and run View-Active-Local-users.sql to see all local users who will be disabled. Make sure that View-Active-Admin-users.sql shows at least 1 provisioned (usually from a Directory) administrator.
- Run Disable_All_Local_Users.sql to disable all local users and administrators.
- Run View-Active-Admin-users.sql to see which administrators now remain active. Only provisioned (usually Directory users) userType administrators should show here.
- Login to Workspace ONE Access/VMware Identity Manager appliance using a sshclient as root user. Restart the service using the command “service horizon-workspace restart”. Repeat this process for all appliances in your environment.
- Until the hotfixes are applied, do not create any new local users.
For more information on how, or for instructions reverting the mitigation steps, please visit the VMware knowledge base article: https://kb.vmware.com/s/article/88433
- The Greynoise Team. (2022, August 9). VMware Workspace ONE Vulnerabilities CVE-2022-31656 and CVE-2022-31659. GreyNoise Blog. https://www.greynoise.io/blog/vmware-workspace-one-vulnerabilities-cve-2022-31656-and-cve-2022-31659
- Gatlan, S. (2022, August 9). VMware warns of public exploit for critical auth bypass vulnerability. Bleeping Computer. https://www.bleepingcomputer.com/news/security/vmware-warns-of-public-exploit-for-critical-auth-bypass-vulnerability/
- HW-156875 – Workaround instructions to address CVE-2022-22972 in Workspace ONE Access Appliance (VMware Identity Manager) (88433). (2022, May 19). VMware Customer Connect. https://kb.vmware.com/s/article/88433
- Macey, J. & Shah, S. (2022, May 27). Understanding CVE-2022-22972 (VMWare Workspace One Access Auth Bypass). Assetnote. https://blog.assetnote.io/2022/05/27/understanding-cve-2022-22972-vmware-workspace-one-access/
- Dodge, E. & Holland, T. (2022, May 20). High Severity VMware Vulnerabilities Under Active Exploitation. Kudelski Security. https://research.kudelskisecurity.com/2022/05/20/high-severity-vmware-vulnerabilities-under-active-exploitation%EF%BF%BC/
- Tills, C. (2022, August 2). CVE-2022-31656: VMware Patches Several Vulnerabilities in Multiple Products (VMSA-2022-0021). Tenable Blog. https://www.tenable.com/blog/cve-2022-31656-vmware-patches-several-vulnerabilities-in-multiple-products-vmsa-2022-0021
- Viet, P. (2022, August 9). Dancing on the architecture of VMware Workspace ONE Access (ENG). Medium. https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
- VMSA-2022-0021. (2022, August 2). VMware. https://www.vmware.com/security/advisories/VMSA-2022-0021.html