MAY 19, 2022 12:38 GMT
CISA has issued a rare emergency directive and is advising urgent patching priority for two new VMWare vulnerabilities: CVE-2022-22972 and CVE-2022-22973.
These will allow for Remote Code Execution (RCE) and Root Privilege Escalation within impacted VMWare products. The patch was released for these vulnerabilities on May 18th.
Recent similar VMWare vulnerabilities were weaponized by threat actors within 48 hours of the patch’s release.
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
CVE-2022-22972 (CVSS 9.8) is an authentication bypass vulnerability that allows a user with network access to the UI to obtain administrative access without providing credentials.
CVE-2022-22973 (CVSS 7.8) allows a user with local access to escalate to root privileges with no known workarounds.
CISA compares these to previous VMWare vulnerabilities CVE-2022-22954 and CVE-2022-22960, which were patched in April.
The vulnerabilities impacted the same products in similar ways. What was notable is that threat actors reverse-engineered and weaponized the patches for CVE-2022-22954 and CVE-2022-22960 within 48 hours.
Review advisories from VMWare for more details about impacted versions and workarounds.
CISA recommends either patching or removing impacted hosts from the network.
Check impacted hosts accessible from the Internet for further signs of compromise and apply Incident Response procedures if necessary.
Apply appropriate network segmentation to limit exposure of critical infrastructure.
Keep vulnerability and IDS/IPS signatures up to date.
- VMWare Advisory for 2022-22972 and CVE-2022-22973
- CISA Emergency Directive for 2022-22972 and CVE-2022-22973
- Mitre Entry for CVE-2022-22972
- Mitre Entry for CVE-2022-22973
- Patching Instructions from VMWare for CVE-2022-22972 and CVE-2022-22973:
- Workarounds for CVE-2022-22972