The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring Federal Civilian Executive Branch (FCEB) agencies to update specific VMWare products or remove them from agency networks until the update can be applied.
The directive says that advanced persistent threat (APT) actors are exploiting vulnerabilities in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Agencies are advised to assume any of these VMWare products are compromised and immediately disconnect from networks.
VMWare released an update to address the vulnerabilities on April 6th, but threat actors were able to reverse engineer the update and began exploitation within 48 hours of the patch release. CISA expects to see a similar timeline with the recent directive:
"On May 18, 2022, VMware released an update for two new vulnerabilities (CVE-2022-22972 and CVE-2022-22973). Based on the above, CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products. Exploiting the above vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to 'root' (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972).
CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action. This determination is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems."
CISA Director Jen Easterly commented on the urgency of the situation:
"These vulnerabilities pose an unacceptable risk to federal network security. CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization—large and small—to follow the federal government's lead and take similar steps to safeguard their networks."
For more information, read CISA's EMERGENCY DIRECTIVE 22-03 MITIGATE VMWARE VULNERABILITIES.
