TL;DR on CVE-2022-31656 and CVE-2022-31659

On August 2, 2022, VMWare disclosed two vulnerabilities in VMWare Workspace ONE products:

  • CVE-2022-31656: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may obtain administrative access without needing to authenticate.
  • CVE-2022-31659: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. A malicious actor with administrator and network access can trigger remote code execution. 

VMWare has published patched versions of the products to remediate the vulnerabilities. 

GreyNoise has created tags for tracking and blocking exploit activity on these CVEs that are live and available to all users:

We have not observed either of these CVEs being actively exploited in the wild, as of the publication date of this blog.

Disclosure Discussion

On August 2, 2022, Petrus Viet, the researcher responsible for disclosing the vulnerabilities to VMWare, tweeted a screenshot demonstrating successful exploitation of the CVE-2022-31656 authentication bypass, but did not include proof-of-concept (PoC) code). 

Based on the screenshot, GreyNoise researchers speculate that Petrus’ work was based on the Horizon3 CVE-2022-22972 PoC , a similar authentication bypass discovered in May 2022.

Figure 1: Comparison between Horizon3 CVE-2022-22972 PoC (left) to Petrus’ CVE-2022-31656 exploitation screenshot.

A blue teamer with a keen eye may note that the working directory for the CVE-2022-31656 exploit is “D:\Intellij\horizon”, perhaps hinting at Horizon3, in addition to several messages logged to the console that are similar to those from the Horizon3 CVE-2022-22972 PoC:

  • Extraction of “protected_state” from a WorkSpace ONE endpoint
  • A POST request to the auth endpoint
  • A resulting “HZN” cookie which is granted access to the workspace ONE application

The main difference appears to be where the “protected_state” is extracted. These similarities gave key hints to the paths in the application defenders should monitor for exploitation. 

On August 9th, 2022, Petrus published a writeup ) for both vulnerabilities but did not provide any POC code. GreyNoise created tags for these CVEs based on paths from this writeup.

Figure 2: Path for Authentication Bypass (CVE-2022-31656)

Figure 3: Path for Remote Code Execution (CVE-2022-31659)

Mitigation Actions

GreyNoise tags for tracking and blocking this activity are live and available to all users:

Until you can install the patched versions of these VMWare products, GreyNoise offers a temporary mitigation you can apply:

  • Block mass exploit IP addresses - GreyNoise is monitoring these CVEs for mass exploit activity, including curating a dynamic list of IP addresses attempting to exploit this vulnerability over the past 24 hours.  You can use this IP list to block temporarily until you have had time to install a patched version. The IP addresses can be downloaded in several formats, including JSON, CSV, TXT files, as well as dynamically updated URLs for use with Palo Alto Networks, Cisco, and Fortinet firewalls. The IP lists are available at the links above. 
This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account