Overview
On May 18th, 2022, VMWare published a security advisory (VMSA-2022-0014) with a CVSS base score of 9.8/10 that includes a more severe authentication bypass vulnerability (CVE-2022-22972) in addition to a privilege escalation vulnerability (CVE-2022-22973), both of which impact the VMWare Workspace ONE.
The authentication bypass vulnerability affects the way Workspace ONE communicates with authentication servers. When a user attempts to log in, the server reads the request’s Host header and sends it to that specified address. If the response from the server defined by the Host header returns a 200 status code, then Workspace ONE considers the user successfully authenticated. This allows an attacker to specify a custom authentication server through the Host header and manually return a status code of 200, thus resulting in an authentication bypass vulnerability.
In simpler terms, one can specify the authentication server that Workspace ONE communicates with if the user has supplied valid credentials. The research team over at Horizon3 have published a great document detailing the inner workings behind CVE-2022-22972. Please feel free to take a look if you wish to learn more about this matter from a technical aspect.
Mitigation at StackPath
The first occurrences of exploitation attempts in the wild were detected on the 27th of May at 17:43 UTC. These attempts targeted a server belonging to a Brazilian IP address space, all of which were successfully blocked by the StackPath WAF as a result of our injection policies.
Other Vulnerabilities
Another vulnerability related to VMWare Workspace ONE that has appeared recently is CVE-2022-22954, which has the same CVSS base score of 9.8/10 and provides susceptibility to template injection attacks. The first attempts at exploiting this vulnerability were detected on the 7th of May at 08:49 UTC. All of these attempts were blocked by rules that were implemented a few months prior by StackPath’s WAF team. The reason why these rules were implemented in the first place was to prevent template injection attacks.