DHS recommends patching VMware, probably you should too

Department of Homeland Security urges US federal agencies to “patch or remove” a list of VMWare products within 5 days. Probably you should do it too.

Critical vulnerabilities in VMWare products

On May 18 VMware patched two vulnerabilities in its products: CVE-2022-22972 and CVE-2022-22973. To emphasize the severity of the problem, on the same day the US Department of Homeland Security issued a directive obliging all Federal Civilian Executive Branch (FCEB) agencies to close these vulnerabilities in their infrastructure within five days — by installing patches, and if this is not possible, by removing VMware products from the agency network. Apparently, it makes sense to follow the example of American government agencies and immediately install patches.

What are the vulnerabilities?

The vulnerabilities affect five of the company’s products — VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

The first vulnerability, CVE-2022-22972, with a severity rating of 9.8 on the CVSS scale, is especially dangerous. Its exploitation can allow an attacker to gain administrator rights in the system without any authentication.

The second vulnerability, CVE-2022-22973, is related to privilege escalation. To exploit it, attackers must already have some rights in the attacked system, for this reason its severity level is somewhat lower — 7.8 on the CVSS scale. However, this bug should also be taken seriously, as it allows attackers to elevate privileges on the system to the root level.

More information can be found in the official FAQ on this issue.

Real severity of vulnerabilities CVE-2022-22973 and CVE-2022-22972

Neither VMware nor CISA experts are yet aware of the  of these vulnerabilities exploitation in the wild. However there is a good reason behind CISA’s emergency directive: in early April VMware had already closed several vulnerabilities in the same products, and just 48 hours later attackers began to exploit these bugs. In other words, on that occasion it took the attackers less than two days to create exploits, and obviously there is a concern that the same can happen this time as well.

Moreover, CISA experts believe that someone can use two new vulnerabilities in conjunction with the April bunch (specifically, CVE 2022-22954 and CVE 2022-22960) to perform sophisticated targeted attacks. For this reason they have required all federal agencies to close the vulnerabilities by 5:00 PM EDT on May 23, 2022.

How to avoid exploiting vulnerabilities in VMWare products

VMware recommends first updating all vulnerable software to supported versions, and only then installing patches. You can check the current versions on the VMware LogoProduct Lifecycle Matrix page. Before installation, it is advised to create backups or take snapshots of programs that needs an update. Patches and installation tips can be found in the VMware Knowledge Base.

On top of that, you shouldn’t forget that all information systems that have access to the Internet must have reliable security solutions installed. In the case of virtual environments, [Hybrid Enterprise Placeholder] specialized protection [/Hybrid Enterprise Placeholder] should be used.

As an additional layer of protection, it also makes sense to use [EDR placeholder] solutions [/EDR placeholder] that allow you to monitor activity within the infrastructure and identify signs of malicious presence before attackers have time to do real damage.

Tips