PRUEBA AHORA
Vulnerability

VMware Fixes Three Critical Vulnerabilities in Workspace ONE Assist

2 min. read
09/11/2022
By Laura Libeer
VMware remote code execution

⚡ TL;DR | Go Straight to the Workspace ONE Assist Audit Report

VMware has released an update for Workspace ONE Assist in response to 5 security flaws affecting versions 21.x and 22.x, 3 of which are critical. These vulnerabilities would allow an attacker with network access to obtain administrative access to the application without needing to authenticate. This would in turn give them access to potentially critical data and systems.

CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687

The three most problematic vulnerabilities patched are CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687. All three of these received a critical CVSSv3 base score of 9.8. They are respectively described as an authentication bypass vulnerability, a broken authentication method vulnerability, and a broken access control vulnerability. A malicious actor with network access could use these flaws to obtain administrative access without the need to authenticate to the application. The vulnerabilities affect versions 21.x and 22.x of Workspace ONE Assist on Windows. VMware has patched the issues in version 22.10. You can find more information on VMware’s Advisory page.

CVE-2022-31688 and CVE-2022-31689

2 more vulnerabilities were fixed as well in version 22.10, although these are far less critical than the ones mentioned above. CVE-2022-31688 is a Reflected cross-site scripting (XSS) vulnerability with a CVSSv3 base score of 6.4. With some user interaction, an attacker could exploit this issue to inject javascript code in the target user’s window. CVE-2022-31689 is a session fixation vulnerability with a base score of 4.2 that when exploited would allow an attacker to authenticate to an application for which he has a valid session token. More information can be found in the same advisory.

Upgrade to VMware Workspace ONE Assist Version 22.10

In order to protect yourself against the vulnerabilities mentioned above, VMware advises updating all instances of Workspace ONE Assist to the new 22.10 version. There are no known workarounds for the issues. You can find more details about version 22.10 and the download links in VMware’s KB.

Discover Vulnerable Devices

The Lansweeper team has created a report that will provide you with a list of all devices in your network that have an installation of VMware Workspace ONE Assist that has not yet been upgraded to version 22.10. This way you can easily locate any installs that are still at risk.