You are here

(Update May 26, 2022) – Exploit Code Available for Recently Disclosed VMware Vulnerabilities

(Update May 26, 2022) – Exploit Code Available for Recently Disclosed VMware Vulnerabilities

Created: Thursday, May 26, 2022 - 13:05
Categories:
Cybersecurity, Security Preparedness

Attention: Members using impacted VMware products are strongly encouraged to pass this information along to IT support personnel and/or third party IT/managed service providers to be promptly addressed.

As anticipated, a working proof-of-concept has been developed for CVE-2022-22972. Security researchers have published an analysis report and working exploit. The public disclosure of exploits typically reduces the time to active exploitation by threat actors and increases the risk of compromise posed to devices that remain unpatched.

As a reminder, this vulnerability disclosure addressed by Cybersecurity Advisory (CSA) AA22-138B, Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control was accompanied by Emergency Directive (ED) 22-03 encouraging all organizations to promptly address multiple vulnerabilities in VMware products.

The same mitigation recommendations still apply:

  • Organizations should immediately identify all instances of affected VMware products and deploy the vendor updates.
  • However, if impacted devices are NOT able to be updated (patched) in a timely fashion, organizations are strongly encouraged to remove those instances from their networks. CISA has noted that it does not endorse alternative mitigation options for this issue.
  • Organizations with affected VMware products that are accessible from the internet should assume compromise and initiate threat hunting activities using the detection methods provided in AA22-138B.
  • If a compromise is detected, administrators should apply the incident response recommendations also included in AA22-138B.

Resources

 

May 19, 2022

Yesterday, CISA issued Emergency Directive (ED) 22-03 and released Cybersecurity Advisory (CSA) AA22-138B, Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control encouraging all organizations to address multiple vulnerabilities in VMware products. This ED is in response to active and expected exploitation of multiple vulnerabilities in the following VMware products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager.

Specifically, known exploitation is occurring for CVE-2022-22954 and CVE-2022-22960 which were disclosed in April and CISA expects cyber threat actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 (for the same impacted products) which were disclosed yesterday in VMware Security Advisory VMSA-2022-0014. It is highly recommended that organizations identify all instances of affected VMware products and deploy the vendor updates. However, if impacted devices are unable to be updated (patched) in a timely fashion, organizations are strongly encouraged to remove those instances from their networks. CISA has noted that it does not endorse alternative mitigation options for this issue.

Furthermore, CISA encourages organizations with affected VMware products that are accessible from the internet to assume compromise and initiate threat hunting activities using the detection methods provided in AA22-138B. Likewise, if potential compromise is detected, administrators should apply the incident response recommendations also included in AA22-138B.

While Emergency Directives are only mandated for federal networks, it is prudent for all organizations to prioritize addressing vulnerabilities as instructed by such directives. For more on this Emergency Directive and recommended detection methods and mitigation guidance, access AA22-138B at CISA.