In April 2022, Cybersecurity and Infrastructure Security Agency (CISA) learned that malicious actors exploited two VMware product vulnerabilities. It resulted in VMware releasing updates to fix the first two vulnerabilities, according to CISA. However, within 48 hours of that release, malicious actors reverse-engineered the updates and created exploits that could be leveraged against devices that had not yet applied the updates.
On May 18, 2022, CISA issued an Emergency Directive requiring Federal Civilian Executive Branch (FCEB) agencies with certain VMware products connected to the internet to act as if they’ve been compromised. CISA directed that any FCEB agencies leveraging the following VMware products initiate threat hunting activities using active detection methods provided in the Cybersecurity Advisory (CSA) issued by CISA.
The VMware products include:
- VMware Workspace ONE Access, a digital workspace platform
- VMware Identity Manager (vIDM), the platform’s “identity and access management component”
- VMware vRealize Automation (vRA), an infrastructure automation platform
- VMware Cloud Foundation, a hybrid cloud platform; and
- vRealize Suite Lifecycle Manager, an “application life cycle and content management solution.”
The Authentication Bypass vulnerability impacting VMware Workspace ONE Access, Identity Manager, and vRealize Automation has resulted in a maximum CVSSv3 base score of 9.8. REI is recommending that our customers itemize Internet-facing VMware assets and remove network access to them until they are patched as the authentication bypass vulnerability (CVE- 2022-22972) can be exploited by a malicious actor can exploit agency information systems with network access to the UI to obtain administrative privileges without authentication.
Additionally, we recommend that customers closely monitor all activities with administrative privileges until the patches are deployed as a malicious actor with local access can escalate privileges to ‘root’ exploiting the Local Privilege Escalation vulnerability (2022-22973). For all instances of impacted VMware products, CISA directs either to deploy updates per VMware Security Advisory VMSA-2022-0014 or remove them from the agency network until the update can be applied.
Have questions regarding VMware product vulnerabilities? Visit VMSA-2022-0014: Questions and Answers for the latest information and updates.
Resources
- ED 22-03 Mitigate VMware Vulnerabilities
- VMware Security Advisory VMSA-2022-0011
- VMware Security Advisory VMSA-2022-0014
