Malicious code exploiting recent VMware bug publicly available, company warns
VMware updated an advisory on Tuesday warning that malicious code exploiting CVE-2022-31656 and CVE-2022-31659 is now publicly available.
The Cybersecurity and Infrastructure Security Agency published its own warning last week about the issues — which affect VMware’s Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, and vRealize Automation.
One of the security researchers who discovered the issue, Petrus Viet, said he would publish the exploit code this week and did in a Medium post on Tuesday.
This is a detailed technical analysis of two vulnerabilities CVE-2022-31656 and CVE-2022-31659 affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation. I hope it helps you and sorry for my bad english.
— Petrus Viet (@VietPetrus) August 9, 2022
[ENG] https://t.co/lOXEUvEyPV
In a release from VMware, the company said the vulnerabilities had CVSS scores ranging from 4.7 to 9.8 — a CVSS score of 10 is used for the most critical vulnerabilities.
VMware updated the advisory on Tuesday to note that the exploit code is now public. In a statement to The Record, VMware urged its customers to apply the patches for the critical severity Authentication Bypass vulnerability and other less-severe vulnerabilities.
Claire Tills, senior research engineer at Tenable, said now that there is a publicly available proof-of-concept code, exploitation of this vulnerability becomes much more likely.
“Attackers prefer to leverage these sorts of public exploits just for the simplicity and ease of adoption, particularly with vulnerabilities that can be chained to achieve full system compromise,” Tills said.
She added that Viet’s technical breakdown shows how similar CVE-2022-31656 is to CVE-2022-22972, another VMware vulnerability the company patched in May.
“The new PoC just skips over the filter put in place to address CVE-2022-22972," Tills added.
In May, CISA noted that they expected hackers to “quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973” in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Threat actors were chaining multiple VMware vulnerabilities together during attacks, according to third party reports sent to CISA.
We issued Emergency Directive 22-03 in response to observed or expected active exploitation of a series of vulnerabilities in specific VMware products. Federal civilian agencies need to take specific actions to protect their networks today: https://t.co/wyHkKez91U pic.twitter.com/PJfb4iEQtP
— Cybersecurity and Infrastructure Security Agency (@CISAgov) May 18, 2022
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.