Very High
CVE-2022-31656
CVE-2022-31656
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Add Assessment
Technical Analysis
Researcher Petrus Viet submitted his technical analysis explaining an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate for VMware Workspace ONE Access, Identity Manager and vRealize Automation.
Please see this reference for the details: https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
A quick summary of his write-up can be found here.
Basically this vulnerability is related to another authentication bypass (CVE-2022–22972) that was discovered in May 2022 (see reference https://blog.assetnote.io/2022/05/27/understanding-cve-2022-22972-vmware-workspace-one-access/) and was also analysed in detail by Rapid7 (see reference https://attackerkb.com/topics/Ur2L7rHv2F/cve-2022-22972).
The java web architecture is based on a listener->filter->servlet construct to send web request to a java web container.
Petrus discovered that you can use the UrlRewriteFilter layer which is responsible for mapping requests to some internal servlets based on predefined rules (in the WEB-INF/urlrewrite.xml file) to read arbitrary files.
One particular predefined rule with the regex “^/t/([^/])((|/)(((?!META-INF| WEB-INF).)))” will filter any request which has the path math and will map it to servlet “/$3” allowing attackers to read arbitrary files at WEB-INF.
Example:
Based on the regex, we can easily see that the request needs to start with “/SAAS/t/_/;/”, so for the request based on the rule with the path “/SAAS/t/_/;/WEB-INF/web.xml” it will be mapped to “/WEB-INF/web.xml”
With CVE-2022–22972 in the back of our mind, this vulnerability can be easily exploited to bypass the patch applied for CVE-2022-22972, where the developers added a HostHeaderFilter class to the filter chain to block all requests with a host header that doesn’t point to the server.
By manipulating the path “/auth/login/embeddedauthbroker/callback” using the path “/SAAS/t/_/;/auth/login/embeddedauthbroker/callback” based on the predefined rule early explained, it will bypass the HostHeaderFilter class, hence you can bypass the authentication again on a patched server.
There is a POC from horizon3ai at GitHub for CVE-2022–22972 (https://github.com/horizon3ai/CVE-2022-22972) that can be reused to test this vulnerability.
Combining this vulnerability with CVE-2022-31659 that allows remote code execution once the malicious user obtains administrator privileges makes VMware Workspace ONE Access, Identity Manager and vRealize Automation targets again.
VMWare has released patches (https://www.vmware.com/security/advisories/VMSA-2022-0021.html) for both CVEs, and it is recommended that all VMWare Workspace ONE clients apply these patches immediately to mitigate potential exploitation.
CVSS V3 Severity and Metrics
General Information
Vendors
- vmware
Products
- access connector 21.08.0.0,
- access connector 21.08.0.1,
- access connector 22.05,
- identity manager 3.3.4,
- identity manager 3.3.5,
- identity manager 3.3.6,
- identity manager connector 19.03.0.1,
- identity manager connector 3.3.4,
- identity manager connector 3.3.5,
- identity manager connector 3.3.6,
- one access 21.08.0.0,
- one access 21.08.0.1
References
