Service announcement: VMware patched a high severity local privilege escalation security flaw (CVE-2022-22972) that allows attackers to elevate permissions on unpatched devices to ‘root.’

In addition to this is, VMware has also patched a critical vulnerability (CVE-2022-22973), which is an authentication bypass vulnerability impacting local users.

The complete list of VMware products impacted by these security bugs:

  • VMware Workspace ONE Access
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

The Cyber Security and Infrastructure Security Agency (CISA) is expecting malicious cyber actors to reverse engineer the patch in order to exploit CVE-2022-22972 and CVE-2022-22973.

What are the vulnerabilities?

CVE-2022-22972 is an authentication bypass vulnerability with a critical CVSS score of 9.8. This is when an attacker who has network access to the user interface may be able to obtain administrative access without needing to authenticate.

CVE-2022-22973 is a LPE (Local Privilege Escalation), impacting VMware Workspace ONE Access and Identity Manager. This is when an attacker who already has access to a system is using this vulnerability to elevate their permissions to ‘root’ access.

The CISA recommend urgently patching both vulnerabilities – or applying the relative workarounds – due to APT groups, which are known to have exploited pairs of vulnerabilities in the past.

Patches and workarounds

A list of patches and workarounds for the CVE-2022-22973 and CVE-2022-22973 vulnerabilities can be found on VMware’s website.

Update 01/06/2022

A public proof-of-concept (PoC) is available to exploit code for a critical authentication bypass vulnerability in multiple VMware products that allows attackers to gain admin privileges.

Horizon3 has released a public PoC and a technical breakdown demonstrating how to exploit the vulnerability. Using Open Source Intelligence (OSINT) discovery tools, such as Shodan.IO show a relatively low exposure count.

However, according to Horizon3, the healthcare, education industry, and state government are the types of organisations with exposures – putting them at larger risk for current and future exploitation.

This is an ongoing event, and we are continuing to track developments. If you have any questions or require support, please contact our IT service desk on 01904 562207 or email [email protected].