CISA Orders Agencies to Mitigate VMWare Vulnerabilities Under Deadline

Federal agencies must report to the Cybersecurity and Infrastructure Security Agency over the coming days on the status of VMWare product vulnerabilities the agency flagged in an emergency directive Wednesday.

“C​​ISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch agencies and require emergency action,” the agency said, imposing a deadline of Monday, May 23, at noon for required actions. “This determination is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”

VMWare is a Dell company specializing in technology for cloud computing and network virtualization. Earlier this month, researchers at the continuous security monitoring firm Assetnote reported that a vulnerability in VMWare’s Workspace One [Unified Endpoint Management] could have compromised companies’ cloud accounts.

“While I cannot share exact details about what companies were affected, there were a large number of enterprises that were vulnerable to this,” Assetnote Chief Technology Officer Subham Shah said in a May 2 press release. “In some cases, it was possible to use this vulnerability to breach the AWS accounts of the companies.”

CISA’s emergency directive Wednesday instructs agencies to either patch the vulnerabilities across all instances of the VMWare products or to disconnect them from agency systems. For any applications that are internet facing, CISA additionally directs agencies to assume they’ve been compromised, initiate threat hunting and to immediately report to the agency. 

CISA described overwhelming capabilities adversaries could achieve by exploiting the vulnerabilities, which could not necessarily be mitigated by the implementation of multifactor authentication as they target processes that occur in advance of that verification method.

“According to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user,” CISA said in an advisory accompanying the directive. “The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.”