U.S. Agencies Ordered to Fix Critical VMware Vulnerabilities by Monday

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to fix critical vulnerabilities in VMware products by Monday or remove the products from service.

Multiple VMware products are affected by two new critical vulnerabilities that the company issued updates for yesterday. Recorded as CVE-2022-22972 and CVE-2022-22973, the bugs allow an authentication bypass and a local privilege escalation.

In ordering federal agencies to patch affected products quickly, CISA said in its emergency directive that it “expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities.”

The authentication bypass is the most critical of the vulnerabilities, as an attacker with simple network access can gain administrative access without authentication. As a result, CVE-2022-22972 was rated a 9.8, just below the highest critical severity rating. The exploit can also be chained with the local privilege escalation (CVE-2022-22973) to gain root access.

VMware has published a detailed list of vulnerable products:

• VMware Workspace ONE Access (Access)
• VMware Identity Manager (vIDM)
• VMware vRealize Automation (vRA)
• VMware Cloud Foundation
• vRealize Suite Lifecycle Manager

CISA noted in its directive that “these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action.”

“Exploiting the above vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to ‘root’ (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972),” the agency added.

CVE 2022-22954 and CVE 2022-22960 were detected in April and allow hackers to gain full control of the targeted systems.

VMware customers must immediately patch Workspace ONE Access, Identity Manager, and vRealize Automation, CISA said. The agency also strongly encouraged administrators to run behavioral analysis on root accounts to detect any suspicious activity and collect IoCs (indicators of compromise).

If you have affected VMware products that are accessible from the internet, you should “Assume compromise, immediately disconnect from the production network,” and conduct threat hunting activities as outlined in a CISA alert.

Read next: Top Vulnerability Management Tools for 2022