Security News > 2021 > December > VMware 2FA flaw can divulge that vital second credential to malicious actors

VMware has warned users a flaw in its VMware Verify two-factor authentication product could allow a malicious actor with a first-factor authentication credential to obtain a second factor from its VMware Verify product.

CVE-2021-22057 is the rascal behind this issue and is rated 6.6/10. VMware Verify is part of the wider VMware Workspace ONE Access product, now available in version 21.08.0.1 to fix this bug and a 5.5-rated Server Side Request Forgery that can allow a malicious actor with network access to make HTTP requests to arbitrary origins and read the full response.

News of the two new flaws in WorkspaceONE came a day after VMware warned of a critical-rated flaw in the suite.

America wants you to hack the DHS. More signs of sense from the US Department of Homeland Security after it announced a bug bounty program dubbed "Hack the DHS". Not all of it, before you get too excited - the program permits attacks on "Select external DHS systems" and only then by carefully vetted pentesters.

"As the federal government's cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems," said Secretary Alejandro Mayorkas.

"The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/12/20/in_brief_security/