VMware issued an advisory on Wednesday warning of the flaw affecting VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
Satnam Narang, staff research engineer at security outfit Tenable, said the vulnerabilities patched as part of VMware’s VMSA-2022-0014 advisory along with the Emergency Directive and associated alert published by the US’ Cybersecurity and Infrastructure Security Agency were an important reminder about the importance of patching vulnerabilities as early as possible.
"Last month, VMware published an advisory for a number of flaws in the same set of products and within a few days, attackers had already begun scanning for and exploiting two of those flaws against publicly accessible systems," he said.
"One of the two flaws patched today, CVE-2022-22972 is an authentication bypass vulnerability, which could be easily exploited by an attacker to gain access to these systems without having prior access to the systems.
"Chaining this flaw together with CVE-2022-22973 would allow an attacker to elevate privileges to gain root access on these systems. Vulnerability chaining is not a new phenomenon, but just as in competitive fighting games like Street Fighter and Mortal Kombat, chaining together vulnerabilities like moves increases the impact of an attack."
Thorsten George, cyber security evangelist at Absolute Software, said: “Reports about vulnerabilities in a variety of VMware products that increase the risk for authentication bypass and local privilege escalation are a stark reminder that systems and process failures by third parties can have catastrophic reputational and operational consequences for an organisation.
"As a result, it is no longer sufficient to simply implement procedures for managing vendors and the risk they may expose to the organization. Instead, organisations need to also safeguard against third-party related control failures.
"This typically equates to running penetration tests, implementing end-to-end vulnerability management, and enforcing risk-based patch management. An often-overlooked aspect is to harden the environment (e.g., endpoints) and assure the efficacy of the security applications themselves.
"Ultimately, companies need confidence that mission-critical applications remain installed, healthy, and effective to counteract human error, malicious actions, software collisions, and normal decay.”