VMware has released patches for a privately reported critical vulnerability (CVE-2022-22972) in VMware’s Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products, and is urging administrators to patch or mitigate immediately, because “the ramiﬁcations of this vulnerability are serious.”
Simultaneously, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive for all federal civilian executive branch agencies, which are ordered to enumerate all instances of affected VMware products and either deploy the updates provided by VMware or remove those instances from agency networks by May 23 (Monday).
CVE-2022-22972 is an authentication bypass vulnerability affecting local domain users, which could be exploited by malicious actors with network access to the UI to obtain administrative access without the need to authenticate. It affects VMware Workspace ONE Access, Identity Manager and vRealize.
The patches released by VMware on Wednesday also fix CVE-2022-22973, a local privilege escalation vulnerability in VMware Workspace ONE Access and Identity Manager, which could allow attackers with local access to gain “root” privileges on vulnerable systems.
In a supplemental blog post, VMware notes that while some workarounds for the discovered security holes are available, there are downsides to using them instead of implementing the patches.
“The workaround will make admins unable to log into the Workspace ONE Access console using the local admin account, which may impact your organization’s operations,” the company explained, and noted that the only way to remove the vulnerabilities from one’s environment is to apply the patches.
“Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not,” they added.
No active exploitation – yet!
There are no PoC exploits for CVE-2022-22972 or CVE-2022-22973 and there is no mention of them being exploited by attackers.
However, CISA says that since “threat actors were able to reverse engineer [a previous VMware update that fixed CVE 2022-22954and CVE 2022-22960] and begin exploitation of impacted VMware products that remained unpatched within 48 hours of the update’s release,” the agency “expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products.”
Consequently, it mandated emergency action from all federal civilian executive branch agencies.
CISA has also released a cybersecurity advisory detailing IoCs, detection signatures, and incident reponse recommendations to help administrators detect and respond to active exploitation of CVE-2022-22954 and CVE-2022-22960.
VMware has noted that by applying the latest product updates (with patches), admins who have not previously implemented fixes for CVE 2022-22954and CVE 2022-22960 will simultaneously get them, as “VMware product updates are cumulative for security.”
Still, that doesn’t mean that their installations haven’t already been compromised by attackers, so they would do well to review CISA’s security advisory and search for evidence of compromise.