CVE-2022-22955
📋 TL;DR
CVE-2022-22955 is an authentication bypass vulnerability in VMware Workspace ONE Access's OAuth2 ACS framework that allows attackers to execute operations without proper authentication. This affects organizations using VMware Workspace ONE Access and Identity Manager. Attackers can exploit exposed endpoints to gain unauthorized access.
💻 Affected Systems
- VMware Workspace ONE Access
- VMware Identity Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Workspace ONE Access system, allowing attackers to execute arbitrary operations, access sensitive data, and potentially pivot to other systems in the network.
Likely Case
Unauthorized access to the Workspace ONE Access administration interface, enabling configuration changes, user impersonation, and data exfiltration.
If Mitigated
Limited impact with proper network segmentation, strong access controls, and monitoring in place to detect and block exploitation attempts.
🎯 Exploit Status
Multiple public proof-of-concept exploits are available. The vulnerability can be exploited without authentication via HTTP requests to specific endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Workspace ONE Access 21.08.0.2, 20.10.0.2; Identity Manager 3.3.6.1
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2022-0011.html
Restart Required: Yes
Instructions:
1. Download the appropriate patch from VMware's download portal. 2. Apply the patch following VMware's documentation. 3. Restart the Workspace ONE Access/Identity Manager services. 4. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Block Vulnerable Endpoints
linuxConfigure network or application firewalls to block access to the vulnerable OAuth2 ACS endpoints.
# Example iptables rule to block specific paths
# iptables -A INPUT -p tcp --dport 443 -m string --string "/catalog-portal/ui/oauth/verify" --algo bm -j DROP
🧯 If You Can't Patch
- Isolate the affected systems from the internet and restrict network access to only trusted sources.
- Implement strict network segmentation and monitor for any unauthorized access attempts to the vulnerable endpoints.
🔍 How to Verify
Check if Vulnerable:
Check the version of VMware Workspace ONE Access or Identity Manager. If running affected versions, the system is vulnerable.Check Version:
# For Workspace ONE Access
cat /usr/local/horizon/conf/version.properties
# For Identity Manager
cat /opt/vmware/horizon/workspace/conf/version.propertiesVerify Fix Applied:
Verify the version has been updated to the patched version and test that the authentication bypass no longer works.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts, access to OAuth2 ACS endpoints without proper authentication, unexpected configuration changes
Network Indicators:
- HTTP requests to paths like /catalog-portal/ui/oauth/verify, /SAAS/auth/login/embeddedauthbroker/callback
SIEM Query:
source="*workspace*" AND (url="*/catalog-portal/ui/oauth/verify*" OR url="*/SAAS/auth/login/embeddedauthbroker/callback*")