This week, VMware released three security patches for a critical authorization bypass vulnerability in the Workspace ONE Assist solution. The vulnerability could potentially allow remote attackers to bypass authentication and elevate their privileges within the system. The vulnerabilities are tracked as CVE-2022-31685 (authentication bypass), CVE-2022-31686 (broken authentication method), and CVE-2022-31687 (broken authentication control) and have received 9.8/10 CVSSv3 base scores. Barracuda SOC recommends updating affected VMware Workspace ONE Assist products as soon as possible with the latest patch released for the vulnerability.
What is the threat?
A remote privilege escalation vulnerability exists in the VMware Workspace ONE Assist. The critical vulnerabilities: CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687, make it possible for a malicious actor with network access to Workspace ONE Assist to obtain administrative access without the need to authenticate the application.
Why is it noteworthy?
VMware Workspace ONE Assist provides remote control, screen sharing, file system management, and remote commend execution to help desk and IT staff, allowing them to remotely access and troubleshoot devices in real time. Having vulnerabilities with these features is dangerous as they are perfect for threat actors to launch a successful attack.
VMware has had other remote execution vulnerabilities in the past, such as the last one in May which was classified as critical CVE-2022-22972.
What is the exposure or risk?
Successful exploitation allows a malicious actor to execute any number of arbitrary codes as an admin user, giving them full control of your network thus bypassing any security protocols that have been put in place. This can open the door to a ransomware event, business email compromise that can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses, and potential harm to an organization’s reputation.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of a remote code execution attack:
- Update VMware Workspace ONE Assist 22.10 (89993)
- Keep all applications updated thus enforcing new security measures
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.