VMware vulnerabilities under attack, CISA urges action

Administrators are grappling with four VMware vulnerabilities -- two older flaws that are under active exploitation and two new bugs that CISA believes will be exploited soon.

Enterprise administrators are being advised to update their VMware installations following the disclosure of two vulnerabilities in the virtualization platform, as well as the exploitation of two other, previously disclosed VMware bugs.

According to the Cybersecurity and Infrastructure Security Agency (CISA), threat actors are actively exploiting two flaws disclosed last month in order to gain a foothold in networks. The command injection and elevation of privilege flaws, known as CVE-2022-22954 and CVE-2022-22960 respectively, could potentially allow an attacker to take remote control of a vulnerable machine.

"VMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices," CISA said in an advisory Wednesday.

The bugs are present in VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and VMware vRealize Suite Lifecycle Manager (vRSLCM). CISA warned that threat actors, most likely advanced persistent threat groups, were exploiting the vulnerabilities separately and in a chained attack.

If that wasn't enough to keep administrators awake, VMware Wednesday disclosed and patched an authentication bypass vulnerability (CVE-2022-22972) and a new elevation of privilege flaw (CVE-2022-22973) that also affect VMware Workspace One Access, vIDM, vRA, VMware Cloud Foundation and vRSLCM.

CISA issued a separate emergency directive Wednesday for CVE-2022-22972 and CVE-2022-22973, warning that the two new VMware vulnerabilities are likely to be in the crosshairs of criminal hackers in the very near future. The directive required all civilian federal agencies to patch the vulnerabilities by 5 p.m. on Monday, May 23, and the agency urged all organizations to patch the new bugs immediately or disconnect vulnerable VMware instances from their networks.

According to the agency, working exploits for the two VMware vulnerabilities disclosed in April were only produced after the vendor issued patches for the bugs. "Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973, which were disclosed by VMware on May 18, 2022," the announcement said.

Needless to say, network administrators should be testing and installing patches as soon as possible for all systems that run the vulnerable VMware software.

"CISA strongly encourages all organizations to deploy updates provided in VMware Security Advisory VMSA-2022-0014 or remove those instances from networks," the agency said. "CISA also encourages organizations with affected VMware products that are accessible from the internet to assume compromise and initiate threat hunting activities using the detection methods provided in the CSA [cybersecurity advisory]."

Next Steps

Horizon3.ai releases POC exploit for VMware vulnerabilities

Chinese threat group exploited VMware vulnerability in 2021

Dig Deeper on Threats and vulnerabilities