CISA Issues Emergency Directive and Cybersecurity Advisory for VMware Vulnerabilities

Immediate Updates Advised

On May 18, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) issued Cybersecurity Advisory (CSA) AA22-138B and Emergency Directive (ED) 22-03 alerting users to active vulnerabilities susceptible to exploitation in several VMware products. Affected products are VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager.  

Vulnerabilities Summary 

According to CSA, VMware released an update on April 6, 2022, to address two detected vulnerabilities CVE-2022-22954 and CVE-2022-22960, but threat actors reverse engineered them and began exploitation within 48 hours. CISA has deployed an incident response team to a large organization where threat actors exploited CVE-2022-22954 and received intel from trusted third parties that there are indicators of compromise at several other large organizations.  

On May 18, 2022, VMware announced two new vulnerabilities (CVE-2022-22972 and CVE-2022-22973), which CISA expects threat actors to similarly exploit. ED 22-03, which “has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action,” provides an overview of each listed vulnerability: 

• CVE-2022-22954—a server-side template injection that could result in threat actors issuing remote code execution. 

• CVE-2022-22960 and CVE-2022-22973—may allow threat actors to escalate privileges to 'root', or gain the highest access to files and systems. 

• CVE-2022-22972—could permit threat actors to obtain administrative access without the need to authenticate. 

Guidance

General

CISA encourages all organizations to issue updates provided in VMware’s security advisory VMSA-2022-0014, or remove all instances from their networks. In addition, CISA urges organizations whose VMware products are accessible from the internet to assume they are compromised and initiate threat hunting activities and incident response recommendations as necessary (outlined in the CSA guidance below).  

CSA AA22-138B 

The CSA outlines specific technical details and detection methods, noting that the following behavioral analyses can help detect compromise: 

• Review systems logs and noting any gaps. 

• Assess abnormal connections to other assets. 

• Scrutinize the command-line history. 

• Audit running processes and active listening ports and connections. 

• Examine local user accounts and groups.

In the event of detected compromise, the following incident response is recommended: 

1. Immediately isolate affected systems.  

2. Collect and assess relevant logs, data, and other artifacts. 

3. Consider contracting a third-party incident response organization to provide subject matter expertise, remove threat actors from the network, and avoid lingering issues that could allow follow-on exploitation. 

4. Report incidents to CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870) 

ED 22-03 

Because of CISA’s Binding Operational Directives 22-01 and 19-02, all Federal Civilian Executive Branch agencies must deploy updates immediately or remove all documented instances of exploited VMware products from their network. The timeline for such required activities is outlined in the ED.  

How we help 

We help organizations remain resilient in the face of such cyber threats. Our services include: 

• Aponix Protect to assess an organization’s risk, identify program gaps, and draft a mitigation roadmap.  

• Penetration testing and vulnerability assessments to identify network vulnerabilities that could lead to exploitation. 

• Operational resilience and governance services such as business continuity planning, incident response, and tabletop testing to draft, enhance, and routinely test an organization’s ability to respond to critical cyber events such as vulnerability exploitation. 

Learn more about additional cybersecurity solutions here. 

For questions about this alert, or to find out how we can help you meet your regulatory cybersecurity obligations, please reach out to your trusted cyber advisor or contact us.