CISA Issues Emergency Directive to Patch Vulnerable VMWare Products

An emergency directive has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) to all federal agencies, requiring them to take steps to address two vulnerabilities in certain VMware products that are likely to be rapidly exploited in the wild, and two previous vulnerabilities in VMWare products that were disclosed in April which are being exploited by multiple threat actors, including Advanced Persistent Threat (APT) actors.

The latest vulnerabilities, tracked as CVE-2022-22972 (critical) and CVE-2022-22973 (high severity), and the two vulnerabilities from April affect 5 VMWare products:

  • VMware Workspace ONE Access (Access) Appliance
  • VMware Identity Manager (vIDM) Appliance
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

CVE-2022-22972 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users. If a malicious actor has network access to the UI, the flaw can be exploited to gain administrative access without authentication. The vulnerability has been assigned a CVSS severity score of 9.8 out of 10.

CVE-2022-22973 is a local privilege escalation vulnerability in VMware Workspace ONE Access and Identity Manager with a CVSS severity score of 7.8. If a malicious actor has local access, the flaw can be exploited to escalate privileges to root. Both flaws also affect VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

The two vulnerabilities known to have been exploited in the wild are tracked as CVE 2022-22954 (critical) and CVE 2022-22960 (high severity). CISA says both vulnerabilities have been exploited in real-world attacks, individually and in combination, by multiple threat actors.

CVE 2022-22954 is a code injection vulnerability with a CVSS score of 9.8 that affects VMware Workspace ONE Access and Identity Manager products. Exploitation of the flaw allows threat actors to trigger server-side template injection, which can lead to remote code execution. CVE 2022-22960 is an improper privilege management issue with a CVSS score of 7.8 that affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation products, and allows threat actors to escalate privileges to root.

In one attack, a threat actor with network access to the web interface exploited CVE 2022-22954 to execute a shell command as a VMWare user, then exploited the second flaw to escalate privileges to root. After exploiting both flaws, the threat actor could move laterally to other systems, escalate permissions, and wipe logs. In another case, a threat actor deployed the Dingo-J-spy web shell after exploiting the flaws. Exploits for the two April vulnerabilities were developed by reverse-engineering the patches released by VMWare. Now patches have been released to fix the latest two vulnerabilities, similarly rapid exploitation of the flaws in the wild can be expected.

While the emergency directive only applies to Federal agencies, all organizations that are using vulnerable VMWare products should patch immediately or implement the recommended mitigations. The deadlines for Federal agencies to complete the required actions are May 23 and May 24, 2022.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.