VMware Workspace ONE Access RCE via CVE-2022-22960 — Patch Now

Overview: Critical VMware Vulnerabilities Under Active Exploitation

Runtime Rebel is issuing an urgent advisory regarding critical vulnerabilities impacting VMware Workspace ONE Access and VMware Identity Manager. These flaws, including CVE-2022-22954, CVE-2022-22960, CVE-2022-22957, and CVE-2022-22958, enable attackers to achieve full system compromise, including Remote Code Execution (RCE) and authentication bypass. Intelligence from the SANS Internet Storm Center Stormcast confirms that these vulnerabilities are actively being exploited in the wild, necessitating immediate patching. Organizations leveraging these VMware products must prioritize remediation to prevent unauthorized access and potential data exfiltration or disruption. The severity of these issues is heightened by the widespread deployment of VMware’s identity and access management solutions across enterprise environments.

Technical Analysis of VMware Workspace ONE Access Vulnerabilities

The core of the threat lies in a sequence of vulnerabilities that, when chained together, allow unauthenticated attackers to gain administrative control. This attack chain frequently begins with a server-side request forgery (SSRF) flaw.

CVE-2022-22954: Initial SSRF

CVE-2022-22954 is a Server-Side Request Forgery vulnerability present in VMware Workspace ONE Access and Identity Manager. While an SSRF typically allows an attacker to make a server request on behalf of the vulnerable application, potentially accessing internal network resources, its direct impact is often limited. However, in this specific context, it serves as a critical stepping stone. Its relatively lower CVSS score of 5.3 (Medium) might mislead some, but its role in enabling more severe attacks makes it a significant concern. The ability to manipulate the server into making requests to arbitrary locations within the network allows attackers to discover and interact with other internal services, paving the way for further exploitation.

Authentication Bypass and RCE Chain

The more critical vulnerabilities, CVE-2022-22960 and CVE-2022-22957, escalate the threat significantly. CVE-2022-22960, an authentication bypass with a critical CVSS score of 9.8, allows unauthenticated attackers to gain administrative access. This bypass, when combined with the SSRF or other mechanisms, can lead directly to RCE. CVE-2022-22957 is a crucial RCE vulnerability, also rated 9.8 Critical, which attackers can exploit to execute arbitrary commands on the underlying operating system. A related, albeit slightly less severe, RCE is CVE-2022-22958 with a CVSS score of 7.8 (High). The established TTP involves an attacker leveraging the initial SSRF or similar reconnaissance to identify vulnerable services, then using the authentication bypass (CVE-2022-22960) to gain elevated privileges, and finally exploiting an RCE (CVE-2022-22957 or CVE-2022-22958) to achieve full control. This chain of events bypasses typical security controls, highlighting why VMware Workspace ONE Access RCE via CVE-2022-22960 is a major concern for defenders. The rapid transition from initial access to full compromise poses a significant risk to an organization’s identity infrastructure, potentially enabling further Lateral Movement within the network.

Prioritizing Mitigation and Patching for VMware Identity Manager

The affected products include:

• VMware Workspace ONE Access (versions 21.08.0.0, 20.10.0.0, 3.3.6)
• VMware Identity Manager (versions 3.3.3, 3.3.4, 3.3.5, 3.3.6)
• VMware Cloud Foundation (versions 4.x, 3.x)
• vRealize Suite Lifecycle Manager (versions 8.x)

Given the active exploitation, prioritizing remediation is critical. Organizations need a clear strategy for patching VMware Identity Manager for CVE-2022-22954 and the other associated vulnerabilities. This is not merely about addressing the SSRF, but closing all known attack vectors in these widely used components.

Actionable Recommendations

Defenders must act decisively to secure their VMware deployments.

• Patch Immediately: Apply all available patches for VMware Workspace ONE Access and Identity Manager products without delay. Ensure all four CVEs (CVE-2022-22954, CVE-2022-22960, CVE-2022-22957, and CVE-2022-22958) are addressed. These patches are designed to prevent the initial SSRF, block the authentication bypass, and mitigate the RCE vulnerabilities.
• Verify Patch Application: Post-patching, verify that all updates have been successfully applied and are active. Regularly audit systems for adherence to patching policies.
• Monitor for Exploitation: Implement enhanced monitoring for any suspicious activity on VMware Workspace ONE Access and Identity Manager instances. Look for unusual network connections, process spawning, or authentication attempts. SIEM and EDR solutions should be configured to alert on potential exploitation attempts or post-exploitation indicators.
• Review Network Segmentation: Ensure that VMware identity solutions are properly segmented from critical internal infrastructure to limit potential Lateral Movement if a compromise occurs.
• Implement Zero Trust Principles: Apply Zero Trust principles to restrict access to these critical identity components, minimizing the attack surface.
• Incident Response Preparedness: Have an incident response plan ready. Teams should be aware of the indicators of compromise related to these vulnerabilities and prepared to respond swiftly.
• Address “how to mitigate CVE-2022-22957 in VMware products”: While patching is the primary mitigation, if immediate patching is infeasible, consult VMware’s official security advisories for temporary workarounds. These might include disabling specific vulnerable functionalities or implementing strict access control lists (ACLs) at the network perimeter to restrict access to the affected services. However, these are temporary measures and not a substitute for patching.

Organizations must prioritize these actions to protect their identity infrastructure from ongoing threats.