CVE-2022-22972: DHS CISA Directs Federal Agencies to Take Immediate Action Against VMware Bugs
Pavithra Shankar
Securin Team
May 25, 2022
Did you know that CSW’s Cyber Threat Intelligence captured CVE-2022-22972 as a high probability of being exploited 62 days before the CISA warning?
VMware released two security holes (CVE-2022-22972 & CVE-2022-22973) in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager on May 18, 2022. The more severe of all vulnerabilities is CVE-2022-22972, a critical authentication bypass affecting local domain users, which could be exploited by malicious actors with network access to the UI to obtain administrative access without the need to authenticate.
On the same day, the U.S. Cybersecurity and Infrastructure Agency issued an emergency security directive over VMware vulnerabilities, which threat actors are likely to exploit. The directive demands all Federal Civilian Executive Branch entities to either apply the patch or remove impacted VMware installations from agency networks by May 24, 2022.
Likely to be Exploited
On May 26, 2022, Researchers at Horizon released PoC exploit for CVE-2022-22972 which can be used by bypassing authentication on vRealize Automation 7.6.
On April 6, 2022, VMware discovered two vulnerabilities in their systems and issued an update to fix these vulnerabilities: CVE 2022-22960 and CVE 2022-22954. Though VMware was able to release patches to fix this issue. Within a 48-hour window following the patch release, threat actors were able to reverse engineer the update and begin exploiting vulnerable VMware products that had not been patched.
CISA has also issued a cybersecurity advisory that includes IoCs, detection signatures, and incident response guidelines to assist administrators in detecting and responding to the active exploitation of CVE-2022-22954 and CVE-2022-22960.
Due to the sheer exploits of last month’s VMware vulnerabilities, CISA anticipates that the threat actors will find a method to launch another exploit using the newly disclosed vulnerabilities as they are now familiar with the system.
Global Exposure
525 devices could be potentially exposed to the Internet, in which the United States tops the list with 36%, followed by Germany with 6%.
In terms of scanning plugins, popular scanners such as Nessus, Nexpose, and Qualys were able to detect the vulnerabilities.
Nexpose | Nessus | Qualys | |
CVE-2022-22972 | 161331 | vmsa-2022-0014-cve-2022-22972 | 376617 |
CVE-2022-22973 | 161331 | vmsa-2022-0014-cve-2022-22973 | 376617 |
CVE-2022-22960 | 159548 | vmsa-2022-0011-CVE-2022-22960/ | 376521 |
CVE-2022-22954 | 159548 | vmware-workspace-one-access-upgrade-20_10_0_0_17035009 | 376521 |
List of Affected Products
The complete list of VMware products impacted by these security bugs includes:
Product Component | Version(s) |
VMware Workspace ONE Access Appliance | |
VMware Workspace ONE Access Appliance | |
VMware Workspace ONE Access Appliance | |
VMware Workspace ONE Access Appliance | |
VMware Identity Manager Appliance | |
VMware Identity Manager Appliance | |
VMware Identity Manager Appliance | |
VMware Identity Manager Appliance |
VMware at Unacceptable Risk, Patch Now!
CISA found that all of these security vulnerabilities constitute an unacceptable risk to federal agencies and has ordered that they fix them before May 24, 2022. Concerns over the growing attacker interest in zero days have prompted CISA to issue several security initiatives.
VMware infrastructure is widely deployed in data center and cloud environments, making it an attractive target for hackers. Cybercriminals scan for these types of vulnerabilities constantly and attempt to exploit targets before they have a chance to download a patch.
Therefore, we strongly recommend organizations to hop on patches and updates for popular platforms as soon as the vendor discloses it.
Share this post on:
