CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Sigma rule (View on GitHub)
1title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
2id: fcf1101d-07c9-49b2-ad81-7e421ff96d80
3status: test
4description: |
5 Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
6 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.
7 A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
8references:
9 - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022/08/12
12modified: 2023/01/02
13tags:
14 - attack.initial_access
15 - attack.t1190
16 - cve.2022.31656
17 - detection.emerging_threats
18logsource:
19 category: webserver
20detection:
21 selection:
22 cs-uri-query|contains: '/SAAS/t/_/;/'
23 condition: selection
24falsepositives:
25 - Vulnerability scanners
26level: high
References
Related rules
- Apache Spark Shell Command Injection - Weblogs
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2021-41773 Exploitation Attempt
- CVE-2022-31659 VMware Workspace ONE Access RCE
- Log4j RCE CVE-2021-44228 in Fields