CISA Advises Federal Agencies to Patch VMware FlawsEmergency Directive Says Many Threat Actors Are Exploiting the Bugs in the Wild
An emergency directive from the U.S. Cybersecurity and Infrastructure Security Agency advises all federal agencies in the country to immediately patch and address two vulnerabilities - one with a critical CVSS score and the other with a high score - that affect at least five VMware products. These include VMware Workspace ONE Access, Identity Manager, vRealize Automation, Cloud Foundation and vRealize Suite Lifecycle Manager.
Both CVE-2022-22954 and CVE-2022-22960 are being exploited - separately and in combination - in the wild by multiple unnamed threat actors, including APTs, CISA says. Exploitation of these vulnerabilities allows threat actors to trigger a server-side template injection that may result in remote code execution, in the case of CVE-2022-22954, or escalation of privileges to root, in the case of CVE-2022-22960.
We issued Emergency Directive 22-03 in response to observed or expected active exploitation of a series of vulnerabilities in specific VMware products. Federal civilian agencies need to take specific actions to protect their networks today: https://t.co/wyHkKez91U pic.twitter.com/PJfb4iEQtP— Cybersecurity and Infrastructure Security Agency (@CISAgov) May 18, 2022
On April 6, VMware addressed security vulnerabilities that were found and resolved in its products. Both the vulnerabilities on CISA's directive were also listed on VMware's notification.
This vulnerability has a CVSS score of 9.8 and has been rated critical. It is a remote code execution vulnerability found in the VMware Workspace ONE Access and Identity Manager products due to a server-side template injection. VMware's advisory says this vulnerability is confirmed as being exploited in the wild.
This vulnerability has a CVSS score of 7.8 and a high severity level. It is a privilege escalation vulnerability found in the VMware Workspace ONE Access, Identity Manager and vRealize Automation products due to improper permissions in support scripts. According to VMware's advisory, this vulnerability is also confirmed as being exploited in the wild.
Exploited as Chained Vulnerabilities
Citing "trusted" third-party reporting, CISA says that threat actors are chaining these vulnerabilities while exploiting them. "At one compromised organization, on or around April 12, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user's privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems," CISA says.
In another instance, CISA says, threat actors deployed post-exploitation tools such as the Dingo J-spy web shell. "During incident response activities, CISA observed, on or around April 13, threat actors [were seen] leveraging CVE-2022-22954 to drop the Dingo J-spy web shell," CISA says.
Around the same period, a different CISA-trusted third party observed threat actors leveraging the same vulnerability to drop the Dingo J-spy web shell at another organization.
The reason for the exploitation of these two vulnerabilities, CISA says, is reverse engineering of the patch after its release. "VMware released an update to address these vulnerabilities on April 6, 2022, and threat actors were able to reverse-engineer the update and begin exploitation of impacted VMware products that remained unpatched within 48 hours of the update's release," it says.
Actions Suggested to Federal Agencies
CISA added exploited vulnerabilities CVE-2022-22954 and CVE-2022-22960 to its Known Exploited Vulnerabilities Catalog on April 14 and 15, respectively. The due date for patching these vulnerabilities in all federal agencies was set for May 5 and 6, respectively. But it appears that several organizations have missed this deadline, resulting in the emergency directive. The new deadline for all federal civilian executive branch agencies to complete the patching or implement a temporary workaround has now been set for Monday, May 23, according to the emergency directive.
CISA offers federal agencies the following advice:
- Enumerate all instances of affected VMware products on respective agency networks.
- For all instances of affected VMware products enumerated, either deploy updates according to the VMware security advisory or remove the respective VMware product(s) from the agency network until an update can be applied. Also, where updates are not available due to end of service or end of life, remove these products immediately from agency networks.
- For all instances of affected VMware products that are accessible from the internet, assume compromise and immediately disconnect the product from the production network and conduct threat hunting as outlined in the CISA cybersecurity advisory. Agencies may reconnect these products to their networks only after threat hunting has been completed, no anomalies have been detected and updates have been applied.
Although this directive and the suggested actions are aimed at federal agencies, CISA Director Jen Easterly says organizations of all sizes need to pay attention to it.
"These vulnerabilities pose an unacceptable risk to federal network security. CISA has issued this emergency directive to ensure that federal civilian agencies take urgent action to protect their networks. [But] we also strongly urge every organization - large and small - to follow the federal government's lead and take similar steps to safeguard their networks," Easterly says.
CISA has listed the technical details, detection methods, indicators of compromise and mitigation measures in a separate alert released on Wednesday.
Two Other Vulnerabilities
The company's updated executive directive says: "CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products."
This flaw has a CVSS score of 9.8 and is rated critical. According to VMware, it is an authentication bypass vulnerability affecting local domain users and is found in VMware Workspace ONE Access, Identity Manager and vRealize Automation products.
This flaw is a local privilege escalation vulnerability and has a CVSS score of 7.8. It affects VMware Workspace ONE Access and Identity Manager products
CISA says that "these vulnerabilities pose an unacceptable risk to federal civilian executive branch agencies and require emergency action. CISA will continue to work with our partners to monitor for active exploitation associated with these vulnerabilities and will notify agencies and provide additional guidance, as appropriate."
CISA has offered to provide technical assistance to agencies that do not have the internal capabilities to comply with this directive.