CISA calls VMWare vulnerabilities ‘unacceptable risk’ in emergency order to feds

The Cybersecurity and Infrastructure Security Agency is ordering federal agencies and contractors to fix a series of vulnerabilities affecting multiple VMWare products, some of which the agency says are being actively exploited on unpatched systems in the wild.

The directive, issued Wednesday, centers around at least four distinct vulnerabilities. In April, VMware issued a patch for two flaws, a server-side template injection flaw (rated 9.8 out of 10 for severity) that can lead to remote code execution and a privilege escalation bug (7.8 severity). CISA said there is evidence indicating that malicious hackers were able to reverse engineer the update to create an exploit for unpatched systems less than 48 hours from the release, and added the bugs to their known exploited vulnerabilities database that agencies are required to follow for patching protocols.

On Wednesday, VMWare released patches for another two vulnerabilities (CVE-2022-22972 and CVE-2022-22973) and CISA believes that all four can be used in tandem to compromise unpatched versions of affected software and pose “an unacceptable risk” to federal systems.

“This determination is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems,” the order states.

CISA issues timeline to inventory or remove VMware application

Federal agencies have until Monday, May 23 to develop an inventory of all affected software instances in their IT environment and either patch it or remove it from their networks. Versions of VMWare applications that are publicly accessible via the internet must be assumed to be compromised, disconnected immediately and subjected to threat hunting protocols.

“Agencies may reconnect these products to their networks only after threat hunt activities are complete with no anomalies detected and updates are applied,” the order reads.

By noon the next day, agencies must provide status updates for all known instances through CyberScope, a tool used by federal agencies to report compliance with the Federal Information Security Management Act. They must also work with the FedRAMP program office at the General Services Administration to ensure third-party cloud providers do the same.

Collectively, the vulnerabilities affect five different products: VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.