CISA issues emergency warning over two new VMware vulnerabilities

The U.S. Cybersecurity and Infrastructure Agency (CISA) has issued an emergency directive over two new vulnerabilities in VMware products. According to the advisory, threat actors are likely to exploit CVE-2022-22972 and CVE-2022-22973 in several products including VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, much like they did in relation to CVE 2022-22954 and CVE 2022-22960 in April. CISA has urged organizations to take swift action to mitigate the risks associated with the vulnerabilities.

Threat actors will be quick to exploit new VMware vulnerabilities

On May 18, 2022, VMware released an update for CVE-2022-22972 and CVE-2022-22973, which CISA said it expects threat actors to quickly exploit. “Exploiting the vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to ‘root’ (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972),” the security warning read.

CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action. This is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.

Mitigating the new VMware vulnerabilities

To mitigate the risks surrounding the vulnerabilities, CISA stated that all FCEB agencies must complete the following actions:

• Enumerate all instances of impacted VMware products on agency networks.
• For all instances of impacted VMware products, either deploy updates per VMware Security Advisory VMSA-2022-0014 or remove them from the agency network until the update can be applied. “Where updates are not available due to products being unsupported by the vendor (e.g., end of service, end of life), unsupported products must be immediately removed from agency networks,” CISA said.
• For all instances of impacted VMware products that are accessible from the internet, assume compromise, immediately disconnect from the production network, and conduct threat hunt activities as outlined in the CISA cybersecurity advisory and immediately report any anomalies identified to central@cisa.dhs.gov.

“Agencies may reconnect these products to their networks only after threat hunt activities are complete with no anomalies detected and updates are applied,” the warning stated.

As for CISA itself, the agency said will continue to work with partners to monitor for active exploitation associated with the vulnerabilities and will notify agencies and provide additional guidance, as appropriate. “CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this directive,” it added. By June 30, 2022, CISA said it will provide a report to the secretary of Homeland Security, the national cyber director, the director of the Office of Management and Budget, and the federal CISO identifying cross-agency status and outstanding issues.