WP What we know about VMWare CVE-2022–31656 and CVE-2022–31659 | Imperva

What we know about VMWare CVE-2022–31656 and CVE-2022–31659

What we know about VMWare CVE-2022–31656 and CVE-2022–31659

Takeaways:

  • VMWare Workspace ONE vulnerabilities CVE-2022-31656 and CVE-2022-31659 work in tandem to allow a remote attacker with network access to conduct remote code execution on the server.
  • Imperva Threat Research has seen a sharp rise in attacks since a POC was published on August 9, mostly targeting US and Singapore-based sites.
  • Imperva’s defenses have caught thousands of attacks using automated tools developed in the Go programming language, and 30% of attacking IPs have a risk score of 70% or higher.
  • Imperva has deployed dedicated security rules to cover both CVEs.

On August 9, 2022, a proof-of-concept was released for VMWare’s earlier security advisories CVE-2022-31656 and CVE-2022-31659, published on August 2, 2022. Both of these vulnerabilities affect VMWare Workspace ONE, and build on each other to ultimately allow for remote code execution. 

For context, CVE-2022-31656 allows users with network access to obtain administrative access without authentication, and CVE-2022-31659 allows remote code execution once the malicious user obtains administrator privileges. VMWare has released patches for both CVEs, and it is recommended that all VMWare Workspace ONE clients apply these patches immediately to mitigate potential exploitation.

Imperva began witnessing attack attempts trying to exploit CVE-2022-31656 immediately after the POC was published on August 9, and we’re continuing to see these numbers steadily rise. Most attacks are targeting customers in the US and Singapore across the educational and financial industries, although all VMWare Workspace ONE customers should take action to prevent intrusions. 

So far, Imperva has found several thousand attack attempts, and 30% of the attacking IPs have a risk score of 70% or above. The vast majority of attackers are using automated tools developed in the Go programming language. 

Since Imperva’s CWAF has multiple layers of security defense, attack attempts trying to exploit CVE-2022-31656 were initially detected by existing security rules, threat reputation, and bot protection policies. We’ve deployed complete coverage for both vulnerabilities, so all CWAF customers and On-Premises WAF customers with SecureSphere Emergency Feed are protected from CVE-2022-31656 and CVE-2022–31659.