Threat Response – Multiple Critical Vulnerabilities in VMware

03-08-2022

A SAFE DIGITAL JOURNEY

On Tuesday, August 2, 2022 a patch was released for multiple vulnerabilities in VMware products[1]. In total there are nine vulnerabilities, of which one is considered to be ‘critical’. The vulnerabilities can be used to bypass the authentication, execute code or escalate the privileges. We recommend installing the patches that VMware released as soon as possible to remediate these vulnerabilities.

In this threat response we explain the vulnerability, the potential impact and what action you should take to prevent exploitation.

Description

On Augusts 2, VMware released security patches, for a total of nine vulnerabilities. Of these vulnerabilities one is considered critical and five are considered high. The vulnerabilities allow an attack with network access to execute code or bypass the authentication. Because of this, we recommend to verify if the mentioned VMware products are used within your organisation. If this is the case, we advise to apply the released patches as soon as possible.

The following products and versions are affected by this vulnerability:

  • VMware Workspace ONE Access (Access) 21.0.8.x
  • VMware Workspace ONE Access Connector (Access Connector)
  • VMware Identity Manager (vIDM) 3.3.x
  • VMware Identity Manager Connector (vIDM Connector) 3.3.6, 3.3.5, 3.3.4, 19.03.0.1
  • VMware vRealize Automation (vRA) 7.6
  • VMware Cloud Foundation 3.x, 4.4.x, 4.3.x, 4.2.x
  • vRealize Suite Lifecycle Manager 8.x

It is unclear which versions of the Access Connector are affected by this vulnerability. A complete overview of all advisories that were published is available on the ‘VMware advisories’ information page[2].

Impact

An attacker who is able to successfully exploit the vulnerability is able to bypass the authentication mechanism of the particular VMware product. This results in the attacker obtaining administrator rights, for that reason Northwave classifies the impact on successful exploitation as high.

Risk

At the time of writing, there is no exploit code publicly available. For now, we classify the risk as medium. We do expect the first exploits to become available on short notice. Since these VMware products are regularly connected to the internet, Northwave classifies the risk of exploitation as high once an exploit is published.

Mitigation

VMware has released patches for the affected components that remediate the vulnerabilities. For the critical vulnerability a workaround is available, if patching is not an option. Additionally, VMware published an advisory that describes the mitigating measures in more detail[2].

What should you do?

Verify whether one or more of the mentioned VMware products are used within your organisation. Install the published patches for the applicable products as soon as possible.

What will Northwave do?

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]

Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Disclaimer applies, see below.

Sources

[1]: https://blogs.vmware.com/security/2022/08/vmsa-2022-0021-what-you-need-to-know.html

[2]: https://www.vmware.com/security/advisories/VMSA-2022-0021.html

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.