The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive to all federal agencies to mitigate two new VMware vulnerabilities.
The directive relates to two new vulnerabilities – CVE-2022-22972 and CVE-2022-22973 – that CISA believes threat actors are likely to exploit across numerous VMware products. These are VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
This follows the significant exploitation of two earlier vulnerabilities in these VMware products, CVE 2022-22954 and CVE 2022-22960, discovered in April. While VMware released an update to patch these vulnerabilities on April 6 2022, threat actors were able to reverse engineer the update and begin the exploitation of impacted VMware products that remained unpatched within 48 hours of the update’s release.
CISA is concerned that threat actors will quickly develop the capability to exploit CVE-2022-22972 and CVE-2022-22973 in the same way. This includes via remote code execution, escalating privileges to ‘root’ and obtaining administrative access without the need to authenticate. VMware released an update for these two vulnerabilities yesterday (May 18).
The directive stated: “CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action. This determination is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”
CISA has given all FCEB agencies a deadline of Monday, May 23 2022, to mitigate these issues. They are required to:
- Enumerate all instances of impacted VMware products on agency networks
- Deploy the WMware updates for the vulnerabilities or remove VMware products from the agency network until the update can be applied
In cases where updates are not available due to products being unsupported by the vendor, they must be immediately removed from the agency network.
In addition, for all instances of impacted VMware products that are accessible from the internet, FECB agencies must:
- Assume compromise, immediately disconnect from the production network and conduct threat hunt activities
- Immediately report any anomalies detected to CISA at email@example.com CISA emphasized that the above actions apply to agency assets in information systems used or operated in third-party environments.
Earlier this week, CISA, alongside the cybersecurity authorities of Canada, New Zealand, the Netherlands and the UK, outlined 10 of the most common ways threat actors compromise their victims, most of which can be mitigated by basic cyber-hygiene best practices.