The Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive to all federal bureaus, necessitating them to do something to deal with two vulnerabilities in selected VMware products that are potentially quickly taken advantage of in the wild, and two earlier vulnerabilities in VMWare that were unveiled in April which are being taken advantage of by several threat actors, such as the Advanced Persistent Threat (APT) actors.
The most recent vulnerabilities, monitored as CVE-2022-22973 (high severity) and CVE-2022-22972 (critical), and the two vulnerabilities identified in April impact five VMWare products:
- VMware Workspace ONE Access (Access) Appliance
- VMware vRealize Automation (vRA)
- vRealize Suite Lifecycle Manager
- VMware Identity Manager (vIDM) Appliance
- VMware Cloud Foundation
CVE-2022-22972 is a vulnerability involving authentication bypass impacting VMware Workspace ONE Access, Identity Manager, and vRealize Automation that has an effect on users of local domains. When a malicious actor gets network access to the UI, the vulnerability may be taken advantage of to acquire admin access with no authentication. The vulnerability was given a CVSS severity rating of 9.8 of 10.
CVE-2022-22973 is a vulnerability involving local privilege escalation in VMware Workspace ONE Access and Identity Manager having a CVSS severity rating of 7.8. When a malicious actor got local access, the vulnerability may be taken advantage of to elevate privileges to root. The two vulnerabilities likewise impact vRealize Suite Lifecycle Manager and VMware Cloud Foundation.
The two vulnerabilities identified to have been taken advantage of in the wild are monitored as CVE 2022-22960 (high severity) and CVE 2022-22954 (critical). CISA states the two vulnerabilities were taken advantage of in real-world attacks, independently and together, by several threat actors.
CVE 2022-22954 is a code injection vulnerability having a CVSS rating of 9.8 that impacts VMware Workspace ONE Access and Identity Manager products. Taking advantage of the vulnerability enables threat actors to activate server-side template injection that could result in remote code execution. CVE 2022-22960 involves an inappropriate privilege management problem having a CVSS rating of 7.8 that impacts VMware Workspace ONE Access, Identity Manager, and vRealize Automation products, and enables threat actors to elevate privileges to root.
In a single attack, a threat actor having system access to the web interface took advantage of CVE 2022-22954 to perform a shell command as a VMWare user, then took advantage of the second vulnerability to elevate privileges to root. Right after taking advantage of the two vulnerabilities, the threat actor can move sideways to other networks, elevate permissions, and erase records. In a different situation, a threat actor used the Dingo-J-spy web shell right after taking advantage of the vulnerabilities. The two April vulnerabilities’ exploits were created by reverse-engineering the patches launched by VMWare. At this time patches were launched to fix the most recent two vulnerabilities, in the same way, quick exploitation of the vulnerabilities in the wild may be needed.
Although the emergency directive is merely applicable to Federal bureaus, all companies that are utilizing vulnerable VMWare products ought to patch right away or carry out the advised mitigations. The due dates for Federal organizations to finish the needed activities are May 23 to 24, 2022.