The Cybersecurity and Infrastructure Security Agency (CISA) is ordering federal civilian executive branch agencies to apply updates that mitigate against several serious VMware vulnerabilities within five days.
In a Wednesday emergency directive, CISA highlighted the four recently patched VMware bugs (CVE-2022-22954, CVE-2022-22960, CVE-2022-22972 and CVE-2022-22973) as an “unacceptable risk” for agencies. Agencies have until May 23 to enumerate all impacted VMware products on their networks and then either deploy updates or remove the products from the network until updates can be applied.
“This determination is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems,” according to CISA’s emergency directive.
The flaws impact VMware’s Workspace ONE Access (formerly Identity Manager) identity management solution, and vRealize Automation, an infrastructure management platform for configuring IT resources and automating container-based application delivery. Also affected are VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
The flaws include a critical remote code execution vulnerability (CVE-2022-22954) stemming from server-side template injection and high-severity bug (CVE-2022-22960) allowing attackers with local access to escalate privileges to root. VMware released patches on April 6, but CISA said that within 48 hours attackers reverse engineered the updates and started to exploit impacted VMware products that remained unpatched. In one case, CISA said it deployed an incident response team to a “large organization” where attackers were exploiting CVE-2022-22954. The agency said it has also received information, including indicators of compromise (IOCs), from third parties about observed exploitation at multiple other large organizations.
The other two vulnerabilities (CVE-2022-22972 and CVE-2022-22973) were patched on Wednesday. The first flaw (CVE-2022-22972) could enable an attacker with network access to the user interface to obtain administrative access without authentication. The other bug (CVE-2022-22973) is a privilege escalation error allowing an attacker with local access to escalate privileges to root.
“CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products,” according to the directive.
CISA said that agencies must “assume compromise” if they find any instances of impacted VMware products accessible from the internet. In this case, they should immediately disconnect the products from the network and report any anomalies identified to CISA. Additionally, agencies must remove products from their networks if they are unsupported by the vendor (either due to end of life or end of service).
While CVE-2022-22954 and CVE-2022-22960 were previously added to CISA's catalog of known exploited vulnerabilities, emergency directives allow the Department of Homeland Security (DHS) to require more timely actions for federal agencies in response to known security flaws, and has been used previously to address significant flaws like the Log4j and Microsoft Exchange bugs. CISA said it will continue to monitor for active exploitation with partners and provide technical assistance to agencies that are “without internal capabilities sufficient” to comply with the directive.