Emergency Advisory: VMware Vulnerabilities

Emergency Advisory: VMware Vulnerabilities
© Pablo Lagarto – stock.adobe.com

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive regarding vulnerabilities in VMware products.  
On Wednesday May 18th, VMware released an update for two identified vulnerabilities affecting the following products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. 

According to their directive, CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the impacted VMware products. Exploiting these vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution, escalate privileges to 'root' and obtain administrative access without the need to authenticate. 
Additionally, this already happened with prior vulnerabilities in VMware software in April. According to CISA, this occurred through the reverse engineering of updates the company made that month to exploit instances of the products that went unpatched within 48 hours. “These vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks.” 

Required Actions

All Federal Civilian Executive Branch agencies must complete the following actions: 

By 5:00 PM EDT on Monday, May 23, 2022: 

    1. Enumerate all instances of impacted VMware products [VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager] on agency networks. 
    2. For all instances of impacted VMware products enumerated in the required action (1) above:
      1. Deploy updates per VMware Security Advisory VMSA-2022-0014 available here https://www.vmware.com/security/advisories/VMSA-2022-0014.html. 
      2.  Remove from the agency network until update can be applied.
        updates are not available due to products being unsupported by the vendor (e.g., end of service, end of life), unsupported products must be immediately removed from agency networks.
    3. Additionally, for all instances of impacted VMware products that are accessible from the internet:
      1. Assume compromise, immediately disconnect from the production network, and conduct threat hunt activities as outlined in CISA CSA available here: www.cisa.gov/uscert/ncas/alerts/aa22-138b 
      2. Immediately report to CISA at central@cisa.dhs.gov any anomalies identified in step 3.1. 

Agencies may reconnect these products to their networks only after threat hunt activities are complete with no anomalies detected and updates are applied. 


By 12:00 PM EDT on Tuesday, May 24, 2022: 

  1. 4. Report status of all instances enumerated in Required Action 1 into Cyberscope using this template. 


How ISEC7 Can Help

Whether you work in the Federal Civilian Executive Branch or a private sector, ISEC7 Sphere provides insight to our customers on existing CVE’s collected from the national vulnerability database. When found for a server, Sphere will provide an alert on the vulnerability to the appropriate resources for remediations and maintaining compliance. Sphere can be connected to your current environment to provide a technology assessment for impacted versions of the VMWare software. 

ISEC7 VMWare engineers are available to assist your organization in reviewing your existing environment to determine the impact and how you are impacted by this vulnerability. If our team finds that you are currently using an impacted product, we will assist you with upgrading to the latest version to ensure compliance with the CISA directive. If for some reason, you are unable to upgrade, our team will provide guidance to help ensure continuity of service for your user base. Our cybersecurity team is also available to assist with required threat hunting activities for any instances accessible from the internet. 
Please feel free to contact the team at ISEC7 with any questions regarding the VMware vulnerabilities and how you can secure your infrastructure. We can also help you navigate the options available to you to generally strengthen and protect your infrastructure. 



Note: Please fill out the fields marked with an asterisk.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group