On May 18, VMWare announced the availability of patches for two critical vulnerabilities that impact five software products: Workspace ONE Access, VMware Identity Manager, vRealize Automation, VMware Cloud Foundation, and vRealize Suite LifecycleManager. On the same day, the United States Cybersecurity and Infrastructure Security Agency (CISA) released an Emergency Directive for federal entities to mitigate the risks of CVE 2022-22972 and CVE 2022-22973. These two CVEs are authentication bypass and escalation vulnerabilities that can be leveraged to obtain admin privileges in the affected products. VMware has released patches fixing the issue, and while they also provided a temporary workaround, VMware highly recommends patching as soon as possible.
In April, two other VMware vulnerabilities (CVE 2022-22954 and CVE 2022-22960) had active exploits developed within 48 hours of the patches being released. CISA believes that exploits for the new vulnerabilities will be developed as quickly and is requiring federal entities to identify and remediate all affected assets. It is wise for private industry to take note of the urgency that federal agencies are applying to this issue to prioritize patching as well.
Given the history of exploit developers acting quickly on high-severity vulnerabilities in VMware products, it is highly recommended that impacted assets be patched as soon as possible. This should be considered an Emergency Change, but without an active exploit, standard change management should still be followed if in place. Now would also be a good time for companies to assess which VMware assets exist in their environments that are exposed to the public internet in order to reduce the attack surface of those environments. CVE 2022-22972 requires network access to the UI to bypass authentication, making it especially pertinent to limit access.
The workaround provided by VMware is not a remediation of the vulnerability either; it simply reduces the number of administrator accounts that can be exploited. VMware suggests that implementing firewall rules to restrict access to the affected assets may help reduce the impact of the vulnerabilities as well, and while this is good practice, no firewall rules will fully remediate the vulnerability without preventing administration of the tool.
Lastly, closely monitor administrative account activity until the patch is deployed. A robust change control policy can help identify malicious activity, and until an exploit is developed, the best indicator of compromise is non-standard behavior by administrative accounts. CVE 2022-22973 requires local access in order to escalate to root, so an indicator of compromise here may indicate further compromise elsewhere in the environment.