VMware warns of three critical holes in remote-control tool

Anyone can pretend to be your Windows IT support and take command of staff devices

VMware has revealed a terrible trio of critical-rated flaws in Workspace ONE Assist for Windows – a product used by IT and help desk staff to remotely take over and manage employees' devices.

The flaws are all rated 9.8 out of 10 in CVSS severity. A miscreant able to reach a Workspace ONE Assist deployment, either over the internet or on the network, can exploit any of these three bugs to obtain administrative access without the need to authenticate. At which point the intruder or rogue insider can contact users to offer them assistance that is anything but helpful, such as seizing control of devices.

It's all possible because Workspace ONE Assist's authentication code appears to be – let's not sugar coat this – borked.

We make that assertion because one of the flaws (CVE-2022-31685) allows an attacker to bypass authentication. CVE-2022-31686 is described as a "broken authentication method," and a broken access control is the problem detailed in CVE-2022-31687.

But wait, there's more! Workspace ONE Assist is also afflicted with a 6.4-rated cross-site scripting vulnerability (CVE-2022-31688) that – thanks to improper user input sanitization – can be exploited, with some user interaction, to inject and run malicious JavaScript code in the victim's window.

There's also CVE-2022-31689 to worry about – a 4.2-rated vuln that enables a malicious actor who obtains a valid session token to authenticate to the application using that token.

These flaws apply to versions 21.x and 22.x of Workspace ONE Assist. Version 21.x appears to have debuted in early 2021, while the 22.x series emerged in March 2022.

Version 22.10 clears up all of the above messes, adds a few features, and tidies up some other issues. It's yours for the downloading here.

VMware hat-tipped Jasper Westerman, Jan van der Put, Yanick de Pater, and Harm Blankers of REQON IT-Security for discovering and reporting the security weaknesses.

In happier news for Virtzilla, the company has announced that its cloudy wares are now available through HPE's GreenLake ITaaS platform, plus – irony alert – a "more secure" version of its Anywhere Workspace hybrid work suite. ®

Send us news
Post a comment

Logfile management is no fun. Now it's a nightmare thanks to critical-rated VMware flaws

You know the drill: patch before criminals use these bugs in vRealize to sniff your systems

Broadcom's VMware battle plan is to challenge hyperscalers

As 17 percent of customers see Virtzilla's short term strategic significance shrinking

Broadcom's $61b VMWare merger faces another hurdle: UK's competition watchdog

Nobody expects the British Inquisition. (Except everybody. Everybody expected it)

Memory safety is the new black, fashionable and fit for any occasion

Calls to avoid C/C++ and embrace Rust grow louder

Months after NSA disclosed Microsoft cert bug, datacenters remain unpatched

You know when we all said quit using MD5? We really meant it

Microsoft sweeps up after breaking .NET with December security updates

XPS doc display issues fixed – until the next patch, at least

Google opens arms to VMware in the cloud and Microsoft 365 on ChromeOS

From the Department of Improbable Alliances

XenServer, split from Citrix, promises per-socket prices 'unlike certain other hypervisors'

Yeah, we know: Cost alone won't lead to success. But it may be hiring, unlike certain other tech giants

HeadCrab bots pinch 1,000+ Redis servers to mine coins

We devoting full time to floating under /etc

Google boosts bounties for open source flaws found via fuzzing

Max reward per project integration is now $30k

Apple emits emergency patch for older iPhones after snoops pounce on WebKit hole

Also: Yay for Data Privacy Day!

LockBit brags it pumped ION full of ransomware

Crims put a February 4 deadline for software slinger to pay up