You are currently viewing VMware addresses three critical flaws in Workspace ONE!

VMware addresses three critical flaws in Workspace ONE!

VMware has recently released patches to three critical severity vulnerabilities affecting the Workspace ONE assist solution.

Workspace ONE Assist provides a console through which the IT staff can access remote devices and troubleshoot in real-time. The console can also be used for screen sharing, file system management, and remote command execution.

The vulnerabilities are tracked as CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687. These flaws can be exploited to achieve privilege escalation without any user interaction.

Technical Details

CVE-2022-31685: Authentication bypass vulnerability in VMware Workspace ONE Assist prior to 22.10. Any threat actor with network access can exploit this flaw to obtain administrative access without authentication to the application.

CVE-2022-31686: A broken authentication method flaw in VMware Workspace ONE Assist prior to 22.10. Any attacker with network access can exploit this vulnerability to obtain administrative access without the need for authentication.

CVE-2022-31687:  A broken access control vulnerability in VMware Workspace ONE Assist prior to 22.10. Any attacker with network access can exploit this flaw and may obtain administrative access without the need for authentication.

VMware also addressed two more flaws tracked as CVE-2022-31688(A XSS flaw) and CVE-2022-31689(session fixation vulnerability).

CVE-2022-31688: A reflected cross-site scripting vulnerability in VMware Workspace ONE Assist prior to 22.10, which is due to improper sanitization of user input. Successful exploitation of this flaw would allow an attacker to inject JavaScript code into the target system.

CVE-2022-31689:  A session fixation vulnerability in VMware Workspace ONE Assist prior to 22.10. Any attacker with a valid session token would exploit this flaw to authenticate to the application.

Affected Applications

VMware Workspace ONE Assist prior to 22.10.

Solution

Update to the Workspace ONE Assist version 22.10, released by VMware, which addresses all the listed vulnerabilities.

0 0 votes
Article Rating
Subscribe
Notify of

0 Comments
Inline Feedbacks
View all comments