Patch these vulnerable VMware products or remove them from your network, CISA warns federal agencies

Companies should immediately patch or remove VMware products affected by newly disclosed critical flaws, warns the US Cybersecurity and Infrastructure Security Agency (CISA).

The drastic measure of removing the products if they can’t be patched is based on past exploitation of critical VMware flaws within 48 hours of disclosure, according to CISA. 

VMware on Wednesday 18 May disclosed multiple security flaws in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. 

SEE: Just in time? Bosses are finally waking up to the cybersecurity threat

The vulnerabilities are being tracked as CVE-2022-22972 and CVE-2022-22973, which are respectively an authentication bypass with a severity score of 9.8 out of 10, and a local privilege escalation vulnerability with a score of 7.8. 

An attacker with network access to the management user interface could access it without the need for a password, VMware warns in an advisory. 

Patches are available and VMware is urging customers to apply them or mitigate the issues immediately, warning in a separate blogpost that the “ramifications of this vulnerability are serious”.   

CISA has told US federal civilian agencies to immediately patch them or remove the affected products on the basis of near immediate and widespread exploitation of two VMware flaws – CVE-2022-22954 and CVE-2022-22960 – in the same products in April. 

VMware released patches for them in April but attackers quickly reverse engineered the patches and chained them together for exploitation. 

“Malicious cyber actors were able to reverse engineer the vendor updates to develop an exploit within 48 hours and quickly began exploiting these disclosed vulnerabilities in unpatched devices,” CISA said. 

“Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022.” 

Security firm Rapid7 observed active exploitation in the wild on April 12, six days after VMware issued patches. Soon after, several public proof-of-concept exploits were being used to install coin miners on vulnerable systems. Attackers chained together CVE-2022-22954 (a server-side template injection issue affecting VMware Workspace ONE Access and Identity Manager) with CVE-2022-22960 (a local privilege escalation bug) to escalate to root privileges. 

CISA issued an emergency directive requiring federal agencies to immediately patch the April VMware flaws as it had done with the Apache Log4j “Log4Shell” flaws. 

SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breaches

The security authority has issued the same directive to federal agencies for the latest VMware flaws, noting the flaws “pose an unacceptable risk” to federal civilian agencies.   

“CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products. Exploiting the above vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to ‘root’ (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972),” it says. 

Cybersecurity authorities from other nations have not issued alerts about the latest VMware flaws. CISA, however, recommends all organizations to patch them swiftly if vulnerable systems are accessible from the internet. VMware has published mitigation steps for some of the affected products.