Malicious code exploiting recent VMware bug publicly available, company warns
VMware updated an advisory on Tuesday warning that malicious code exploiting CVE-2022-31656 and CVE-2022-31659 is now publicly available.
The Cybersecurity and Infrastructure Security Agency published its own warning last week about the issues — which affect VMware’s Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, and vRealize Automation.
One of the security researchers who discovered the issue, Petrus Viet, said he would publish the exploit code this week and did in a Medium post on Tuesday.
In a release from VMware, the company said the vulnerabilities had CVSS scores ranging from 4.7 to 9.8 — a CVSS score of 10 is used for the most critical vulnerabilities.
VMware updated the advisory on Tuesday to note that the exploit code is now public. In a statement to The Record, VMware urged its customers to apply the patches for the critical severity Authentication Bypass vulnerability and other less-severe vulnerabilities.
Claire Tills, senior research engineer at Tenable, said now that there is a publicly available proof-of-concept code, exploitation of this vulnerability becomes much more likely.
“Attackers prefer to leverage these sorts of public exploits just for the simplicity and ease of adoption, particularly with vulnerabilities that can be chained to achieve full system compromise,” Tills said.
She added that Viet’s technical breakdown shows how similar CVE-2022-31656 is to CVE-2022-22972, another VMware vulnerability the company patched in May.
“The new PoC just skips over the filter put in place to address CVE-2022-22972,” Tills added.
In May, CISA noted that they expected hackers to “quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973” in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Threat actors were chaining multiple VMware vulnerabilities together during attacks, according to third party reports sent to CISA.