Published: June 09, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
CISA is warning of an authentication bypass vulnerability (CVE-2022-22972) and a local privilege escalation vulnerability (CVE-2022-22973) affecting certain VMware products. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Exploitation of these vulnerabilities permits malicious actors to trigger a server-side template injection that could result in exploit of two earlier disclosed issues, a remote code execution (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960).
A bit of background: CISA deployed an incident response team to a large organization where threat actors exploited one of these vulnerabilities; CVE-2022-22954. Additionally, the organization received information about observed exploitation at multiple other large organizations from trusted third parties.
VMware released updates for the two older of these vulnerabilities on April 6, 2022. However, malicious cyber actors managed to reverse engineer the updates and create an exploit within 48 hours. Subsequently, they quickly began exploiting whatever they could of these vulnerabilities in unpatched devices.
CISA expects malicious cyber actors to quickly develop the capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products.
CISA strongly encourages all organizations with internet-facing affected systems that have not yet applied the patches, to assume there has been a compromise and initiate threat hunting activities using the detection methods provided in the advisory. If there is any suspicion of compromise, CISA recommends that administrators apply the incident response guidance it provided in the advisory.
It is recommended that organizations follow vendor best practice advice in the mitigation of vulnerabilities, such as these. In this particular case, that advice is to install the latest update as soon as is possible for your organization. In the meantime, consider removing affected devices from the Internet.
More information, including the list of affected products can be found on the VMware website and in CISA's alert (AA22-138B).
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at advisor@nadicent.com