VMware fixes two new vulnerabilities, CISA orders federal agencies to patch immediately
Bugs affecting Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation (vRA) should be patched immediately, VMware says
VMware has released patches to address two security flaws that impact Workspace ONE Access, Identity Manager, and other VMware products and could be used to compromise enterprise networks.
The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an emergency directive on Wednesday, requiring all federal civilian agencies to patch the two vulnerabilities in VMware products or remove those instances from agency networks by May 23. (Monday).
The first of the two vulnerabilities, which is tracked as CVE-2022-22972 (CVSS score: 9.8), is an authentication bypass issue impacting VMware's Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation (vRA) products.
An attacker with network access to the UI may exploit this weakness to get administrator access without having to authenticate first.
The second flaw, CVE-2022-22973 (CVSS score: 7.8), is a local privilege escalation issue in VMware Workspace ONE Access and vIDM that could allow an attacker with local access to achieve "root" privileges on vulnerable systems.
VMware said it is extremely important for admins to immediately fix or mitigate these issues in on-premises installations.
In a supplemental blog post, VMware stated that while certain workarounds for the reported issues were available, using them instead of applying the patches may impact organisation's operations.
"The workaround will make admins unable to log into the Workspace ONE Access console using the local admin account, which may impact your organisation's operations," the company explained.
There have been no reports of proof-of-concept exploits created for CVE-2022-22972 or CVE-2022-22973 or the vulnerabilities being exploited by hackers.
CISA expects threat actors to quickly develop a capability to exploit the newly released vulnerabilities, similar to how they were able to reverse engineer a previous VMware update that fixed CVE 2022-22954 and CVE 2022-22960 and began exploiting impacted VMware products that remained unpatched within 48 hours of the update's release.
"CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch agencies and require emergency action," the agency said.
CISA described the enormous capabilities that attackers may obtain by exploiting the vulnerabilities.
"According to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organisation, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user," CISA said.
"The actor then exploited CVE-2022-22960 to escalate the user's privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems."
Last month, VMware fixed CVE 2022-22954 and CVE 2022-22960, which affect VMware Workspace ONE Access, vIDM, vRA, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
CISA says organisations with affected VMware products that are accessible from the internet should assume compromise of their machines and begin threat hunting efforts utilising the CSA's detection methodologies.
"If potential compromise is detected, administrators should apply the incident response recommendations included in the CSA."
The agency said it would continue to monitor any active exploitation of these vulnerabilities with its partners, and would provide further guidance as needed.
Join us at the CyberSecurity Festival 2022, taking place across 3 days in June, where we will come together to learn, collaborate and tackle the biggest technology security challenges. Find out more and register for free