What is CVE-2022-22972?
CVE-2022-22972 is an authentication bypass vulnerability that impacts VMWare Workspace ONE Access and related suite of products. The vulnerability is rooted in failure to properly validate the “Host” HTTP request header when authenticating locally. The “Host” header is user controlled input, which is used to generate an authentication request to validate credentials. Due to a lack of sufficient data validation on the “Host” parameter, it’s possible to inject an attacker controlled “Host” header value, which results in the VMWare server submitting a request to an attacker controlled system. Provided the attacker-controlled server sends a 200 response to the requesting VMWare server, the user will be authenticated, and the server returns a session identifier (HZN). The authenticated cookie can then be injected into a browser to resume an authenticated session.
It is highly likely that this vulnerability will be chained with CVE-2022-22973, which is a local privilege escalation vulnerability that could result in ‘root’ access to the impacted servers.
How bad is this?
CVE | CVSSv3 Score |
CVE-2022-22972 | 9.8 |
Active exploitation today: Public exploit released, actively exploited in the wild
Severity: Critical
- Authentication bypass
- Results in unauthorized admin access
- Exploited in the wild, low level of complexity
Who is affected by this?
- VMware Workspace ONE Access
- VMware Identity Manager
- VMware vRealize Automation
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
How is it exploited?
Exploitation can be accomplished with a crafted request and an attacker controlled server that blindly responds to all authentication requests with a 200 response.
Am I at risk?
VMWare Product | Version | Patch |
Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 | https://kb.vmware.com/s/article/88438 |
Identity Manager | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | https://kb.vmware.com/s/article/88438 |
vRealize Automation | 7.6 | https://kb.vmware.com/s/article/88438 |
Cloud Foundation | 4.4, 4.3.x, 4.2.x, 4.1, 4.0.x, 3.x | https://kb.vmware.com/s/article/88438 |
vRealize Suite Lifecycle Manager | 8.x | https://kb.vmware.com/s/article/88438 |
How do I protect myself?
VMWare has released a patch to address CVE-2022-22972 detailed in KB88438.
Mitigating factors?
VMware documented a workaround in knowledge base article KB88433 (linked below), which ultimately disables local authentication for all accounts. For detailed instructions please refer to the knowledge base article.