VMware released security updates to patch a critical vulnerability, tracked as CVE-2022-22972, that affects Workspace ONE Access, VMware Identity Manager (vIDM), or vRealize Automation. VMware also published temporary workarounds for its users to protect their systems against possible threats. The vulnerability allows an attacker to gain admin privileges.
Horizon3 security researchers published a proof-of-concept exploit and the technical analysis for the vulnerability. The researchers stated that the patch which addresses CVE-2022-22972 is 28, which means that patch 28 addresses all vulnerabilities since the inception of the product. It makes it difficult to detect exactly how the most recent vulnerability is addressed. The researchers said,
« CVE-2022-22972 is a relatively simple Host header manipulation vulnerability. Motivated attackers would not have a hard time developing an exploit for this vulnerability. A quick search on Shodan.io for the affected VMware applications returns a pretty low count of organizations that expose them to the internet. Of note, the healthcare, education industry, and state government all seem to be a fair amount of the types of organizations that have exposures – putting them at larger risk for current and future exploitation. Organizations should address these issues by immediately following the guidance within the VMware Security Advisory. »
The Cybersecurity and Infrastructure Security Agency also pinpoints the vulnerability and issued a new Emergency Directive ordering Federal Civilian Executive Branch agencies to update or remove VMware products from their networks. The CVE-2022-22972 vulnerability is not being exploited in the wild yet.