Virtualisation and cloud vendor VMware has disclosed eight vulnerabilities in five of its products, and urged users of Workspace ONE Access and all its products that include VMware Identity Manager components to patch immediately.
Three of those vulnerabilities were rated critical on the CVSSv3 scale — two of them contain the possibility for remote code execution, while the third would allow a bad actor to bypass VMware’s user authentication systems to execute unauthorised operations.
One critical vulnerability, CVE-2022-22954, centres on server-side template injection in Workspace ONE Access and Identity Manager as a possible method of achieving remote code execution, and requires only access to the network on which the services are running.
Another remote code execution vulnerability in Workspace ONE Access, Identity Manager and vRealize Automation, reported as both CVE-2022-22957 and CVE-2022-22958, would let a bad actor with administrative access control those systems via a malicious Java Database Connectivity URI.
The user-authentication bypass, tagged as CVE-2022-22955 and CVE-2022-22956, works by exploiting exposed endpoints in the authentication framework in Workspace ONE Access.
According to Ian McShane, vice president of strategy at cyber security vendor Arctic Wolf, these vulnerabilities are serious indeed, and underlined the urgency of applying patches to the most critical security holes.
“With any company, change control should be a best practice,” he said. “But [the critical security flaws] require immediate changes, and are the ones that should be pushed out without testing.”
Yaron Tal, the founder and CTO of Reposify, an Israeli start-up specialising in AI-based security threat assessments, said that remote code execution vulnerabilities essentially let threat actors “run rampant” in compromised systems, stealing credentials, sensitive data and disseminating malware.
“With [remote code execution], unprivileged external code can run remotely on any vulnerable machine in the network,” he said.
“Hackers are left to puppeteer attacks remotely with devastating impact. No strike is out of the question — data can be lost or stolen, communications proxied to a remote location, company data copied to private drives, or corporate reputation damaged with explicit content. All are very real, legitimate possibilities.”
Immediate patching could be difficult for some companies, particularly those with service-level agreements and contractual mandates for a given level of uptime because they may need to restart or reboot affected systems for patching, according to McShane.
“Everyone’s organisation has different environments and different needs,” he said.
Tal agreed that the patches were of immediate importance, and noted that this is likely to be an inconvenience for VMware’s customers.
“We don’t know the patching mechanism in detail, but what we can say for certain is that access management systems are required to be on 24/7, and patches cannot be applied without turning the system off,” he said. “Patches are typically applied at predetermined times (like Christmas, Thanksgiving) when the workspace environment is quiet to minimise downtime as much as possible.”
VMware credited Steven Seeley of the Qihoo 360 Vulnerability Research Institute with discovering the flaws.