VMware Patches Critical Flaw in VMware WorkSpace One: Comment from Tenable

VMware published an advisory (VMSA-2022-0014) to address two vulnerabilities in its VMware Workspace ONE Access, Identity Manager and vRealize Automation products. This advisory follows an advisory from April (VMSA-2022-0011) for multiple flaws in VMware Workspace ONE.

Below is a comment from Satnam Narang, staff research engineer, Tenable who says that vulnerability chaining (in this case CVE-2022-22972 with CVE-2022-22973) is not a new phenomenon, but just as in competitive fighting games like Street Fighter and Mortal Kombat, chaining together vulnerabilities increases the impact of an attack.

The vulnerabilities patched as part of VMware’s VMSA-2022-0014 advisory along with the Emergency Directive and associated alert published by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) serve as an important reminder on the importance of patching vulnerabilities as early as possible.

Last month, VMware published an advisory for a number of flaws in the same set of products and within a few days, attackers had already begun scanning for and exploiting two of those flaws against publicly accessible systems.

The publication of the Emergency Directive gives added urgency to the Federal Civilian Executive Branch agencies in the United States, but should also be viewed by other agencies and organizations globally to urgently prioritize patching these flaws.

One of the two flaws patched today, CVE-2022-22972 is an authentication bypass vulnerability, which could be easily exploited by an attacker to gain access to these systems without having prior access to the systems. Chaining this flaw together with CVE-2022-22973 would allow an attacker to elevate privileges to gain root access on these systems. Vulnerability chaining is not a new phenomenon, but just as in competitive fighting games like Street Fighter and Mortal Kombat, chaining together vulnerabilities like moves increases the impact of an attack. — Satnam Narang, staff research engineer, Tenable

 

Related posts

Advancing IT Support to the Next Era: TeamViewer Integrates Microsoft Teams into its AI-Powered Insights

“Automation Anywhere: Pioneering the Transformation of Enterprise Business Processes in India”

Accenture Expands Generative AI-Powered Cybersecurity Services and Capabilities to Accelerate Clients’ Resilience and Reinvention

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More