
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive
regarding vulnerabilities in VMware products.
On Wednesday May 18th, VMware released an update for two identified vulnerabilities
affecting the following products: VMware Workspace ONE Access
(Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud
Foundation, and vRealize Suite Lifecycle Manager.
According to their
directive, CISA expects threat actors to quickly develop a capability to exploit these newly released
vulnerabilities in the impacted VMware products. Exploiting these vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code
execution, escalate
privileges to 'root' and obtain administrative access without the need to
authenticate.
Additionally, this already happened with prior vulnerabilities in VMware software in
April. According to CISA, this occurred through the reverse engineering of updates the company made that month to exploit instances of the products that went unpatched within 48
hours. “These vulnerabilities pose an unacceptable
risk to federal network security,” said CISA Director Jen Easterly. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their
networks. We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks.”
Required Actions
All Federal Civilian Executive Branch agencies must complete the following actions:
By 5:00 PM EDT on Monday, May 23, 2022:
-
-
Enumerate all instances of impacted VMware products [VMware Workspace ONE
Access (Access), VMware Identity Manager (vIDM),
VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager] on agency
networks.
-
For all instances of impacted VMware products enumerated in the required
action (1) above:
-
Deploy updates per VMware Security Advisory VMSA-2022-0014
available here https://www.vmware.com/security/advisories/VMSA-2022-0014.html.
OR -
Remove from the agency network until update can be
applied.
Where updates are not available due to products being unsupported by the vendor (e.g., end of service, end of life), unsupported products must be immediately removed from agency networks.
-
Deploy updates per VMware Security Advisory VMSA-2022-0014
available here https://www.vmware.com/security/advisories/VMSA-2022-0014.html.
-
Additionally, for all instances of impacted VMware products that are
accessible from the internet:
- Assume compromise, immediately disconnect from the production network, and conduct threat hunt activities as outlined in CISA CSA available here: www.cisa.gov/uscert/ncas/alerts/aa22-138b
- Immediately report to CISA at central@cisa.dhs.gov any anomalies identified in step 3.1.
-
Enumerate all instances of impacted VMware products [VMware Workspace ONE
Access (Access), VMware Identity Manager (vIDM),
VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager] on agency
networks.
Agencies may reconnect these products to their networks only after threat hunt activities are complete with no anomalies detected and updates are applied.
By 12:00 PM EDT on Tuesday, May 24, 2022:
4. Report status of all instances enumerated in Required Action 1 into Cyberscope using this template.
How ISEC7 Can Help
Whether you work in the Federal Civilian Executive Branch or a private sector, ISEC7 Sphere provides insight to our customers on existing CVE’s collected from the national vulnerability database. When found for a server, Sphere will provide an alert on the vulnerability to the appropriate resources for remediations and maintaining compliance. Sphere can be connected to your current environment to provide a technology assessment for impacted versions of the VMWare software.
ISEC7
VMWare engineers are available to assist your organization in reviewing your existing environment to determine the impact and how you are impacted by this vulnerability. If our team finds that
you are currently using an impacted product, we will assist you with upgrading to the latest version to ensure compliance with the CISA directive. If for some reason, you are unable to
upgrade, our team will provide guidance to help ensure continuity of service for your user base. Our cybersecurity team is also available to assist with required threat hunting activities
for any instances accessible from the internet.
Please feel free to contact the
team at ISEC7 with any questions regarding the
VMware vulnerabilities and how you can secure your infrastructure. We can also help you
navigate the options available to you to generally strengthen and protect your infrastructure.
Contact
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group