Organizations are being urged to patch certain VMware products as threat actors are chaining a series of unpatched vulnerabilities in some of the company’s products to gain full system control, even as patches have been available for several weeks.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), threat actors, likely sophisticated groups, are exploiting a pair of vulnerabilities in certain versions of VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.
The first duo of bugs in question, CVE-2022-22954 and CVE-2022-22960, are a server-side template injection that could lead to remote code execution and escalation of privileges to root, respectively. VMware released the updates on April 6, but malicious cyber actors were able to reverse engineer the updates to develop an exploit within two days to begin exploiting the bugs in unpatched devices. CISA then added the two bugs to its catalog of Known Exploited Vulnerabilities about a week later.
In addition to those bugs, malicious actors are now expected to develop an exploit for a pair of other vulnerabilities, CVE-2022-22972 and CVE-2022-22973, that exist in the same VMware products that VMware disclosed on May 18. Because of this, CISA is requiring government agencies to immediately apply VMware’s patches or remove the impacted VMware systems rom their network.
According to VMware’s advisory on the newly discovered bugs, CVE-2022-22972 is an authentication bypass bug in VMware Workspace ONE Access, Identity Manager and vRealize Automation that could give an attacker with access to the UI administrative access without the need to authenticate. CVE-2022-22973, meanwhile, is a local privilege escalation flaw in Workspace ONE Access and Identity Manager that could give an attacker with local access privileges to “root.”
While that action covers the U.S. government, CISA’s alert notes that this has impacted multiple “large organizations,” one of which the agency sent an incident response team.
“CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information—including indicators of compromise (IOCs)—about observed exploitation at multiple other large organizations from trusted third parties.”
According to CISA, threat actors with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.
Post exploitation tools dropped in the environments at multiple organizations include Dingo J-spy webshell, which was dropped by leveraging CVE-2022-22954.
Administrators who discover system compromise are urged to immediately isolated affected systems, collect and review logs, ask a third-party incident response organization for help and report the incident to CISA.
In addition to patching, organizations with unpatched VMwae products that are accessible from the internet should assume compromise and conduct threat hunting activities, as per CISA’s advisory.
Read the advisories from VMware and CISA for more information, including detailed guides on remediation, indicators of compromise and threat hunting.
Leave a Reply