NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
NopSec_Resource_JustInTime_Generic_1
Just in Time

Just in Time Bulletin: CVE-2022-22972 VMWare Workspace ONE Access Authentication Bypass

Aug 10, 2022

What is CVE-2022-22972? 

CVE-2022-22972 is an authentication bypass vulnerability that impacts VMWare Workspace ONE Access and related suite of products. The vulnerability is rooted in failure to properly validate the “Host” HTTP request header when authenticating locally. The “Host” header is user controlled input, which is used to generate an authentication request to validate credentials. Due to a lack of sufficient data validation on the “Host” parameter, it’s possible to inject an attacker controlled “Host” header value, which results in the VMWare server submitting a request to an attacker controlled system. Provided the attacker-controlled server sends a 200 response to the requesting VMWare server, the user will be authenticated, and the server returns a session identifier (HZN). The authenticated cookie can then be injected into a browser to resume an authenticated session. 

It is highly likely that this vulnerability will be chained with CVE-2022-22973, which is a local privilege escalation vulnerability that could result in ‘root’ access to the impacted servers. 

How bad is this? 

CVE CVSSv3 Score
CVE-2022-22972 9.8

 

Active exploitation today: Public exploit released, actively exploited in the wild 

Severity: Critical

  • Authentication bypass 
  • Results in unauthorized admin access
  • Exploited in the wild, low level of complexity 

Who is affected by this? 

  • VMware Workspace ONE Access
  • VMware Identity Manager
  • VMware vRealize Automation
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager 

How is it exploited? 

Exploitation can be accomplished with a crafted request and an attacker controlled server that blindly responds to all authentication requests with a 200 response. 

Am I at risk?

VMWare Product Version Patch
Workspace ONE Access 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 https://kb.vmware.com/s/article/88438
Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3 https://kb.vmware.com/s/article/88438
vRealize Automation 7.6 https://kb.vmware.com/s/article/88438
Cloud Foundation 4.4, 4.3.x, 4.2.x, 4.1, 4.0.x, 3.x https://kb.vmware.com/s/article/88438
vRealize Suite Lifecycle Manager 8.x https://kb.vmware.com/s/article/88438

How do I protect myself? 

VMWare has released a patch to address CVE-2022-22972 detailed in KB88438. 

Mitigating factors? 

VMware documented a workaround in knowledge base article KB88433 (linked below), which ultimately disables local authentication for all accounts. For detailed instructions please refer to the knowledge base article.

Additional Resources: 

Resources
Read more from NopSec's cyber threat exposure management and cybersecurity experts.
Read All