VMware Workspace ONE Assist is a remote support and troubleshooting software that enables IT support teams to remotely access and control end-user devices, including desktops, laptops, and mobile devices. With Workspace ONE Assist, IT support technicians can troubleshoot and resolve issues by remotely accessing and controlling end-user devices, without requiring them to be physically present at the device’s location. The software provides secure remote control capabilities, screen sharing, file transfer, and chat functions.
The software is often also referred to as Remote Assist.
During a security assessment REQON has discovered multiple security vulnerabilities in the software. These vulnerabilities are rated using the CVSSv3.1 risk calculator and vary from critical to medium level risks.
The vulnerabilities have been assigned the following CVE tracking numbers:
After being notified of the vulnerabilities, VMWare has released multiple security updates to mitigate the discovered findings.
This blog post will provide the Proof of Concept (PoC) code of one of the critically discovered vulnerabilities, namely: Authentication Bypass Vulnerability (CVE-2022-31685).
The PoC of the remaining vulnerabilities is provided in a separate blog post.
The VMWare ONE Remote Assist application requires an authentication (AUTH) token to perform authorized actions, such as taking over devices, creating and/or changing application users. It was discovered that every installation of the Remote Assist software has an identical valid AUTH-token in the database for the T10ServiceAccount user’s account. This user has ‘superadmin’ permissions within the VMWare ONE remote assist application. The AUTH-token is static for all installations, never expires and never changes after installation.
This vulnerability allows attackers to authenticate as the T10ServiceAccount (superadmin) on any accessible VMWare ONE remote assist environment. This is also possible if a customer has changed the default password of the T10ServiceAccount user. This essentially makes this vulnerability a full backdoor for all attackers that have knowledge of this vulnerability.