1) VMSA-2022-0024 / CVE-2022-31676 – A New Vulnerability in VMware Tools Could Allow for Privilege Escalation
What is VMSA-2022-0024 vulnerability? A new vulnerability in VMware Tools has been discovered, which could allow for privilege escalation. Updates are available to remediate this vulnerability in affected VMware products. This blog post will provide an overview of the issue and how to update your VMware Tools installation.
What is the Issue with CVE-2022-31676?
The CVE-2022-31676 vulnerability is a local privilege escalation flaw in the way the VMware Tools service handles certain vSphere APIs. A malicious actor with network access to the vSphere management interface could exploit this issue to execute arbitrary code on the system with elevated privileges.
How do you fix CVE-2022-31676?
VMware has released updates to address this issue in affected versions of VMware Tools. The VMware Download Center has updates for VMware Tools 11.1.5 and later, as well as versions 10.3.16 and earlier. If you are running an older version of VMware Tools, you must update to a supported version to receive the security fixes contained in these updates.
To protect your system from this privilege escalation vulnerability, ensure that your VMware Tools installation is up to date. For more information on this issue, see the CVE-2022-31676 page on the vmware.com website. As always, if you have any questions or need assistance, our support team is here to help.
GET IN TOUCH
Discuss your VMware Patching Requirements 0203 916 5593
2) CVE-2022-22983 – VMSA-2022-0023 – A Vulnerability in VMware Workstation Reported by VMware
A vulnerability in VMware Workstation was reported to VMware privately. The vulnerability, CVE-2022-22983, is an unprotected storage of credentials issue. Updates are available to remediate this vulnerability in affected VMware products.
What is the Issue with CVE-2022-22983?
This problem stems from the way the application stores some passwords in memory. A local attacker with access to the affected system may be able to exploit this issue to gain access to sensitive information. Successful exploitation of this issue may lead to Information Disclosure.
What are the VMware products affected?
The following versions of VMware Workstation contain this issue:
• VMware Workstation 16.x prior to 16.2.4
How do you fix CVE-2022-22983?
VMware has released updates for affected versions of VMware Workstation. VMware has issued updates for affected VMware Workstation versions. To address CVE-2022-22983, apply the updates listed in VMSA-2022-0023 as soon as possible. Because there are no workarounds, users are strongly advised to update their installations as soon as possible.
Install the Updates to fix VMSA-2022-0023
VMSA-2022-0023 contains instructions for installing the updates. Update your products today to protect your system from CVE-2022-22983.
IIt’s critical to keep all of your systems’ software up to date, especially when new vulnerabilities emerge like CVE-2022-22983. By applying these updates, you can help keep your systems secure against unauthorized access and exploitation.
3) Remediating CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, CVE-2022-31675 in VMware products
Multiple vRealize Operations vulnerabilities were privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. These CVEs are rated as having a Critical severity rating with a CVSS score of 9.8. Successful exploitation of these issues may result in full compromise of an affected system. VMSA-2022-0022 has been released which documents the remediation for these issues and includes links to the patch download locations.
- CVE-2022-31672 is a use after free issue which may allow a remote attacker to execute code on the affected system.
- CVE-2022-31673 is an insecure deserialization issue which may allow a remote attacker to execute code on the affected system.
- CVE-2022-31674 is an out of bounds read issue which may allow a remote attacker to disclose information from the affected system.
- CVE-2022-31675 is an out of bounds write issue which may allow a remote attacker to execute code on the affected system.
- A patch has been released by VMware to address these vulnerabilities (VMSA 2022 002). Upgrade to the patched versions of vRealize Operations Manager 8.2.0, 8.1.1, 7.5.0, 7 1 5 1, 7 1 0 1, or 6 5 0 2 as soon as possible. If you are unable to update right away, please use the workarounds listed in the advisory until you are able to.
4) Critical Vulnerability in VMware VMSA-2022-0021.1
Updates to VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, and vRealize Automation address a number of vulnerabilities.
You may have heard about the recent authentication bypass vulnerability (CVE-2022-31656) that has been affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation. In this blog post, we’ll give you a brief overview of the issue and how it can be resolved.
4.1) What is Authentication bypass vulnerability – CVE-2022-31656?
CVE-2022-31656 is an authentication bypass vulnerability that affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation. This vulnerability allows a malicious actor to gain access to sensitive information and/or execute arbitrary code with root privileges on the affected system. The severity of this issue has been rated as Critical by VMware, with a maximum CVSSv3 base score of 9.8.
How can CVE-2022-31656 be exploited?
CVE-2022-31656 can be exploited by a malicious actor who gains physical access to the affected system through phishing or other means. After gaining access to the system, the attacker can use CVE-2022-31656 to gain access to sensitive information and/or execute arbitrary code with root privileges.
What are the possible impacts of CVE-2022-31656?
If CVE-2022-31656 is successfully exploited, a malicious actor could gain access to sensitive information and/or execute arbitrary code with root privileges on the affected system. This could lead to data loss, service disruptions, or even full compromise of the system.
How can CVE-2022-31656 be mitigated?
Fortunately, VMware has released a patch that addresses this problem in VMware Workspace ONE Access 20.02 Patch 03, Identity Manager 3102 Patch 06, and vRealize Automation 8100 Patch 04b. To mitigate CVE-2022-31656, we recommend that you apply these patches as soon as possible.
CVE-2022-31656 is an authentication bypass vulnerability that affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation. This vulnerability allows a malicious actor to gain access to sensitive information and/or execute arbitrary code with root privileges on the affected system. The severity of this issue has been rated as Critical by VMware, with a maximum CVSSv3 base score of 9.8.
Fortunately, there is a patch available from VMware which address this issue in VMware Workspace ONE Access 20.02 Patch 03, Identity Manager 3102 Patch 06, and vRealize Automation 8100 Patch 04b. We recommend that you apply these patches as soon as possible in order to mitigate CVE-2022-31656.
4.2) JDBC database injection flaw – CVE-2022-31658, CVE-2022-31665
Recently, a new JDBC database injection flaw was identified, designated CVE-2022-31658 and CVE-2022-31665. This flaw allows remote code execution if an attacker is able to pass malicious input to the application (either through user input or manipulation of serialised objects).
What Are Parameterized Statements?
A parameterized statement is a SQL statement that has placeholder values for parameters. At runtime, these placeholders are replaced with actual values. Because the attacker cannot manipulate the structure of the SQL query, SQL injection attacks are prevented.
Details of the VMware Hot Fix for JDBC database injection flow.
4.3) SQL injection Remote Code Execution Vulnerability (CVE-2022-31659)
SQL injection attacks are a type of injection attack in which SQL code is injected into a user’s input data to alter the execution of a SQL query. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), perform database administration operations (such as shutting down the DBMS), recover the content of a given file present on the DBMS file system, or write files into the file system, potentially allowing an attacker to upload malicious files that result in Remote Code Execution.
CVE-2022-31659 is a SQL Injection RCE Vulnerability that affects VMware Workspace ONE Access and Identity Manager. By sending a specially crafted HTTP POST request, a remote unauthenticated attacker could potentially exploit this issue to take control of an affected system. There are no known workarounds for this issue. In contrast, VMware has issued patches to address this issue. Users are advised to apply the patches as soon as possible.
4.4) Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, )
Local privilege escalation is a type of security vulnerability that can allow an attacker to gain elevated access to a system. CVE-2022-31660 and CVE-2022-31661 are two such vulnerabilities that have been discovered in VMware Workspace ONE Access, Identity Manager and vRealize Automation. These issues have been rated as being in the Important severity range, with a maximum CVSSv3 base score of 7.8. While there are currently no workarounds, VMware has released patches to address these vulnerabilities. Users should apply these updates as soon as possible to protect their systems from potential exploitation.
4.5) URL Injection Vulnerability (CVE-2022-31657)
URL injection is a type of attack that occurs when a malicious URL is inserted into a web page or application. This can allow the attacker to redirect users to a malicious site, inject malicious code into the page, or perform other actions. CVE-2022-31657 is a URL injection vulnerability that affects VMware Workspace ONE Access and Identity Manager. VMware has rated this issue as Moderate severity, with a maximum CVSSv3 base score of 5.9. URL injection vulnerabilities can be difficult to exploit, but if successful, can have serious consequences. To mitigate this issue, VMware recommends that users apply the patch for CVE-2022-31657.
4.6) Path traversal vulnerability (CVE-2022-31662)
Path traversal vulnerabilities are commonly exploited by attackers to gain unauthorized access to sensitive files on a server. This particular vulnerability, CVE-2022-31662, affects VMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation. Attackers could use this vulnerability to gain read access to sensitive configuration files and database backups, which could contain sensitive information like passwords and database contents. Attackers who gain access to these files may be able to use the information contained within them to launch additional attacks. VMware has rated the severity of this issue as Moderate, with a maximum CVSSv3 base score of 5.3. To mitigate this issue, VMware has released updates for affected products. Users are encouraged to install these updates as soon as possible.
4.7) Cross-site scripting (XSS) vulnerability (CVE-2022-31663)
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. An attacker can exploit XSS vulnerabilities to inject malicious code into a web page, which is then executed by the browser of any user who views the page. This can lead to the execution of arbitrary code and the theft of sensitive data.
CVE-2022-31663 is a reflected XSS vulnerability that has been found in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. This issue has been rated as having a Moderate severity, with a maximum CVSSv3 base score of 4.7. To address this issue, VMware recommends that users update to the most recent version of these products. Cross-site scripting vulnerabilities can be difficult to find and exploit, but if successful, they can have serious consequences. As such, it is important for organizations to be aware of these issues and take steps to prevent them.
All of the above 7 sub vulnerabilities are part of VMware’s Security Advisory VMSA-2022-0021.1.
GET IN TOUCH
Discuss your VMware Patching Requirements 0203 916 5593
5) VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type Confusion vulnerabilities – VMSA-2022-0020.1
VMware has released an update to address Return-Stack-Buffer-Underflow (CVE-2022-29901, CVE-2022-28693, CVE-2022-26373) and Branch Type Confusion (CVE-2022-23816, CVE-2022-23825) vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
We recommend administrators update affected systems and apply the necessary mitigations. Return-Stack-Buffer-Underflow (CVE-2022-29901, CVE-202288693, CVE26373) Return-stack-buffer-underflow occurs when a programme fails to handle incorrect return addresses on the system stack after being overwritten by a malicious user.
Branch type confusion (CVE-2022-23816, CVE-2022-23825)
When software incorrectly validates assumptions about memory types used by other pieces of code, the branch type confusion condition occurs.The Common Vulnerabilities and Exposures project (cve) has assigned the name CVE2022-23816 and CVE-2022-23825 to this issue. These vulnerabilities may allow a remote attacker to take control of an affected system.
VMware Products affected by these vulnerabilities:
- VMware ESXi
- VMware Cloud Foundation
For full vulnerability details on VMSA-2022-0020.1.
6) VMware vRealize Log Insight updates address multiple Cross Site Scripting (XSS) vulnerabilities (CVE-2022-31654, CVE-2022-31655)
vRealize Log Insight contains multiple stored cross-site scripting CVE-2022-31654, CVE-2022-31655. By persuading a victim to use the Malicious link, a context-dependent attacker could exploit these vulnerabilities to execute script in the browser of the victim under the context of vRealize Log Insight. This can allow the attacker to steal cookie and session information or to perform other actions that leads to vRealize Log Insight Security Bypass. VMware has evaluated the severity of this issue as CVSS 3.9.
7) VMware vCenter Server updates address a server-side request forgery (SSRF) vulnerability (CVE-2022-22982)
Products affected by VMSA-2022-0018 vulnerabilities are:
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
A server-side request forgery (SSRF) vulnerability exists in the vSphere Client (HTML 5) SDK API. This issue may allow a malicious actor to send arbitrary requests to a server that the vSphere Client (HTML 5) has access to, resulting in information disclosure. A malicious actor with network access to 443 on the vCenter Server could exploit this vulnerability by accessing a URL request outside of vCenter Server or an internal service.
8) VMware HCX update addresses an information disclosure vulnerability (CVE-2022-22953) – VMSA-2022-0017
VMware HCX contains an information disclosure vulnerability, which has been given a CVE identifier of CVE-2022-22953. The VMware Security Advisory (VMSA) for this issue is VMSA-2022-0017. The severity of this issue has been rated as being in the low severity range, with a maximum CVSSv3 base score of 2.7. A malicious actor with network user access to the VMware HCX appliance may be able to gain access to sensitive information. VMware has released an update to address this issue. Users are encouraged to install the update as soon as possible. More information on this issue can be found in the VMSA.
9) DirectPath I/O (PCI-Passthrough) Information Leak vulnerabilities (CVE-2022-21123, CVE-2022-21125, CVE-2022-21166)
Leak vulnerabilities can be difficult to detect and, if ignored, can result in significant damage. The VMware ESXi patch addresses DirectPath I/O (PCI-Passthrough) Information Leak vulnerabilities (CVE-2022-21123, CVE-2022-21125, CVE-2022-21166), which, if unpatched, could cause serious damage to impacted products – VMware ESXi and VMware Cloud Foundation (VCF). If the host uses Intel processors, a malicious actor with administrative access to a virtual machine with an attached DirectPath I/O (PCI-Passthrough) device can exploit a flaw in memory-mapped I/O (MMIO) fill buffers to leak information stored in physical memory about the hypervisor or other virtual machines on the same ESXi host.
Apply the patches listed in the fixed section and enable the VMkernel to mitigate these risks. Also enable the VMkernel.Boot.forceHyperthreadingMitigation advanced setting.
10) VMware Tools for Windows contains an XML External Entity (XXE) vulnerability -VMSA-2022-0015- CVE-2022-22977
VMware has released updates to address a XML External Entity (XXE) vulnerability, CVE-2022-22977, in VMware Tools for Windows. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure. Updates are available for all supported versions of VMware Tools for Windows. VMware has assigned VMSA-2022-0015 as the code.
Disclaimer: Whilst we have taken every precaution to ensure the accuracy of this article, it is possible that some errors or misinformation have occurred. Please visit the Vendor sites for more up-to-date information on versions and current status. Consult Circle accepts no responsibility for any issues caused by following this article.
