Informed on May 2022, a critical vulnerability by the name of CVE-2022-22972 was discovered in VMware products, exposing a significant security risk to organizations relying on their software.
In this blog post, we’ll provide a comprehensive understanding of the vulnerability, its potential impact, the importance of patching, and how InvGate Asset Management can simplify the Patch Management process.
Continue reading to gain a comprehensive understanding of CVE-2022-22972 and how to secure your systems.
About CVE-2022-22972
CVE-2022-22972 is a critical authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. It allows an attacker with network access to the UI to obtain administrative access without the need to authenticate.
The vulnerability has a CVSS score of 9.8, which is considered critical. It affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation 7.6 and later.
How does CVE-2022-22972 work?
CVE-2022-22972 exploits a misconfiguration in the authentication handling process of VMware products. When a user initiates an authentication request to a VMware product, the latter sends an HTTP POST request to an authentication endpoint. The role of this endpoint is to validate the user's credentials and provide a response indicating the success or failure of the authentication attempt.
The vulnerability stems from the lack of proper validation of the Host header within the HTTP POST request by the authentication endpoint. This oversight allows malicious actors to manipulate the Host header, making it appear as if the request originates from a trusted source. By successfully spoofing the Host header, the attacker can trick the authentication endpoint into returning a positive response, even in the absence of valid credentials.
What are CVE-2022-22972 risks?
An attacker who exploits this vulnerability can gain full administrative access to a VMware environment, allowing them to steal data, install malware, or disrupt operations.
Is CVE-2022-22972 fixed?
Yes, VMware has released patches for CVE-2022-22972 and users should install them as soon as possible to protect their environments from attack - more on that later.
How to find devices exposed to CVE-2022-22972
With the utilization of InvGate Asset Management, you can promptly detect devices that have been impacted by the CVE-2022-22972 vulnerability. The following guidelines outline the necessary steps to accomplish this task efficiently:
- Open InvGate Asset Management and go to the Explorer tab.
- Type in the Search bar “Software name, is:VMware Workspace ONE Access (or Identity Manager, or vRealize Automation) to filter all devices with these software products.
- Add another filter to the Search bar to see all devices missing the security patch. To do that, add the following filter: “Reported version, is not:” and paste VMware’s patched version (depending on your product, you’ll find the security update number on VMware’s webpage).
The bottom line
CVE-2022-22972 is a critical authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. It allows an attacker with network access to the UI to obtain administrative access without the need for authentication.
With a CVSS score of 9.8, the vulnerability poses a significant risk to organizations using the affected VMware products. That’s why it is crucial for users to install the patches promptly.
InvGate Asset Management offers a convenient solution to identify devices exposed to CVE-2022-22972 and streamlines their Patch Management process. Request a 30-day free trial now and leverage its capabilities to protect against potential exploits.