CISA issues an emergency warning for two new VMware vulnerabilities

The US Cyber ​​Security and Infrastructure Agency (CISA) has issued an urgent directive on two new vulnerabilities in VMware products. According to the council, threat participants are likely to exploit CVE-2022-22972 and CVE-2022-22973 in several products, including VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manager, similar to CVE 2022-22954 and CVE 2022-22960 in April. CISA called on organizations to take swift action to mitigate vulnerability risks.

Threats will quickly exploit new VMware vulnerabilities

On May 18, 2022, VMware released an update for CVE-2022-22972 and CVE-2022-22973which CISA said it expects threat participants to use quickly. “Exploitation of vulnerabilities allows attackers to trigger server-side template injection, which may result in remote code execution (CVE-2022-22954); escalates root privileges (CVE-2022-22960 and CVE-2022-22973); and to obtain administrative access without the need for authentication (CVE-2022-22972) ” read the security warning.

CISA has identified that these vulnerabilities pose an unacceptable risk to Federal Civil Enforcement Branch (FCEB) agencies and require urgent action. This is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise and the high potential for compromising the information systems of the agency.

Reduce new VMware vulnerabilities

To mitigate the risks of vulnerabilities, CISA stated that all FCEB agencies should take the following actions:

• List all cases of affected VMware products on agency networks.
• For all cases of affected VMware products, or implement updates to VMware Security Advisory VMSA-2022-0014 or remove them from the agency network while the update can be applied. “When updates are not available due to products that are not supported by the provider (eg end of service, end of life), unsupported products must be removed from the agencies’ networks immediately,” CISA said.
• For all cases of affected VMware products that are available on the Internet, compromise, immediately disconnect from the production network and conduct threat detection activities, as specified in CISA Cyber ​​Security Tips and report any identified anomalies to central@cisa.dhs.gov immediately.

“Agencies can reconnect these products to their networks only after the threat search activities have been completed without any anomalies and updates have been applied,” the warning said.

As for CISA itself, the agency said it would continue to work with monitoring partners for active exploitation related to vulnerabilities and would notify the agencies and provide further guidance if necessary. “CISA will provide technical assistance to agencies that do not have sufficient internal capacity to comply with this directive,” he added. By 30 June 2022, CISA has stated that it will provide a report to the Secretary of Homeland Security, the National Director of Cyberspace, the Director of the Office of Management and Budget and the Federal CISO, which identifies interdepartmental status and outstanding issues.