From 4f7738b8674efdfd1908b40c851a739176ac2c2b Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 12 Aug 2022 16:29:52 +0100
Subject: [PATCH] Add rule CVE-2022-31656

---
 rules/web/web_cve_2021_43798_grafana.yml     |  2 +-
 rules/web/web_cve_2022_31656_auth_bypass.yml | 22 ++++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 rules/web/web_cve_2022_31656_auth_bypass.yml

diff --git a/rules/web/web_cve_2021_43798_grafana.yml b/rules/web/web_cve_2021_43798_grafana.yml
index fc4fc7478..e4622ae43 100644
--- a/rules/web/web_cve_2021_43798_grafana.yml
+++ b/rules/web/web_cve_2021_43798_grafana.yml
@@ -1,7 +1,7 @@
 title: Grafana Path Traversal Exploitation CVE-2021-43798
 id: 7b72b328-5708-414f-9a2a-6a6867c26e16
 status: experimental
-description: Detects a successful Grafana path traversal exploitation 
+description: Detects a successful Grafana path traversal exploitation
 author: Florian Roth
 references:
   - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
diff --git a/rules/web/web_cve_2022_31656_auth_bypass.yml b/rules/web/web_cve_2022_31656_auth_bypass.yml
new file mode 100644
index 000000000..1d5de9178
--- /dev/null
+++ b/rules/web/web_cve_2022_31656_auth_bypass.yml
@@ -0,0 +1,22 @@
+title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
+id: fcf1101d-07c9-49b2-ad81-7e421ff96d80
+status: experimental
+description: |
+    Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
+    VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
+author: Nasreddine Bencherchali
+date: 2022/08/12
+references:
+    - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri|contains: '/SAAS/t/_/;/'
+    condition: selection
+falsepositives:
+    - Vulnerability scanners
+level: high
+tags:
+    - attack.initial_access
+    - attack.t1190