US security agency issues emergency alert over vulnerable VMware products

The US’ Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency advisory instructing all federal agencies to patch or remove a number of actively exploited VMware products.

A total of five different VMware services have been found to be vulnerable to a chained attack that could lead to remote code execution (RCE) and escalation of privileges to root.

CISA said that “these vulnerabilities pose an unacceptable risk” to federal agencies and the situation required “emergency action”.

The authority’s instructions to either patch immediately, or remove the affected products, is mandatory for all federal agencies and highly advised for the private sector.

It’s currently unknown who is exploiting the VMware vulnerabilities, but CISA said it is likely to be an Advanced Persistent Threat (APT) hacking group – a type of group that is often backed by nation-states.

A CISA incident response team has already been deployed to one large organisation that has reported evidence of an attack, and “multiple other large organisations” have also been affected, according to intelligence.

The affected VMware products are VMware Workspace ONE Access (Access), VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

Two vulnerabilities in the affected products were patched on 6 April, though CISA said cyber attackers were able to reverse engineer these updates and start exploiting them within 48 hours after the update’s release.

Tracked as CVE-2022-22954 and CVE-2022-22960, the vulnerabilities are RCE and privilege escalation flaws with CVSSv3 severity scores of 9.8 and 7.8 respectively.

VMware released patches for two additional vulnerabilities on Wednesday, tracked as CVE-2022-22972 and CVE-2022-22973.

The first is an authentication bypass flaw in VMware Workspace ONE Access, Identity Manager, and vRealize Automation and has the more serious severity score of 9.8. CVE-2022-22973 is a local privilege escalation vulnerability in VMware Workspace ONE Access, and its Identity Manager suite.

CISA believes that the same APT group may try to reverse engineer these two new vulnerabilities and combine them with the two from April to create an attack chain that could lead to a full system compromise.

Federal agencies have been told to assess how many vulnerable VMware products they have running on their network and either apply VMware’s patches, or remove all the products until they can be patched.

Agencies have also been told that if they had vulnerable products exposed to the internet that they should assume these have already been compromised and begin active threat hunting, reporting any abnormalities to CISA.

Agencies can reconnect products only if they found no anomalies and all the necessary updates have been applied.

CISA’s 2021 binding operational directive that mandated its growing list of known vulnerabilities that must be patched by federal agencies also applies for both CVE-2022-22954 and CVE-2022-22960.

The two flaws were added to the list of must-patch security issues in April; patching them is compulsory for all departments tasked with safeguarding federal information and information systems.

An earlier 2019 operational directive (19-02) also applies to this case, one that compelled the same federal and government agencies to ensure cyber hygiene is addressed in internet-facing systems.