The CISA is releasing this CSA to warn organizations that malicious cyber actors, likely APT actors, are exploiting VMware vulnerabilities CVE-2022-22954 and CVE-2022-22960 separately.
These vulnerabilities affect certain VMware versions
- Workspace ONE Access
- Identity Manager (vIDM)
- vRealize Automation (vRA)
- loud Foundation
- VRealize Suite Lifecycle Manager.
Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) .
According to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organization, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.
“VMware is a very common cloud software service which is also widely present in private-sector organizations including health care. Although the emergency advisory issued by CISA only applies to government agencies, it is strongly recommended that health care entities and their life-critical and mission-critical third parties implement the provided patches as soon as possible,” John Riggi, national advisor for cybersecurity and risk at the American Hospital Association (AHA) explained in a statement in response to the emergency directive.
These methods are especially concerning because threat actors were able to adapt and develop new capabilities quickly
Incident Response for VMware vulnerabilities
If administrators discover system compromise, CISA recommends they:
- Immediately isolate affected systems.
- Collect and review relevant logs, data, and artifacts.
- Consider soliciting support from a third-party incident response organization to provide subject matter expertise.
- Report incidents to CISA via CISA’s 24/7 Operations Center .
CISA recommended that organizations using the impacted VMware products work quickly to update to the latest version or remove impacted versions from organizational networks.