
VMware released security updates for three critical vulnerabilities in its Workspace ONE Assist product, which allows IT and help desk staff to remotely support employees.
Workspace ONE Assist is a remote desktop product that’s mainly used by tech support to troubleshoot and fix IT issues for employees from afar; as such, it operates with the highest levels of privilege, potentially giving remote attackers an ideal initial access target and pivot point to other corporate resources.
Three of the vulnerabilities allowed a malicious actor with network access to Workspace ONE Assist to obtain administrative access without the need to authenticate to the application. The flaws are tracked as CVE-2022-31685 (authentication bypass vulnerability), CVE-2022-31686 (broken authentication method vulnerability), and CVE-2022-31687 (broken access control vulnerability).
Also fixed in the security update for Workspace ONE Assist were two moderate vulnerabilities. One a reflected cross-site scripting (XSS) vulnerability (CVE-2022-31688), and the other a session fixation vulnerability due to improper handling of session tokens (CVE-2022-31689).
Users should update to version 22.10 of Workspace ONE Assist to patch all of the most recently disclosed problems.