The Cybersecurity and Infrastructure Security Agency issued an emergency directive Wednesday requiring federal civilian agencies to patch vulnerable VMware products that could be chained together for full system control.
If agencies aren’t able to deploy necessary updates within five days by May 23 to the affected VMware services, they must take them off agency networks immediately until an update is possible, per the directive.
“These vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly in a press release. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks.”
Cloud computing and virtualization company VMware on Tuesday released an update for two identified vulnerabilities affecting its VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager applications. CISA expects this will lead to threat actors — “including likely advanced persistent threat (APT) actors” — developing new capabilities to exploit the new vulnerabilities.
VMware itself called the vulnerabilities “critical,” rating them 9.8 out of 10 in severity.
“CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action,” the directive says. “This determination is based on the confirmed exploitation of [prior vulnerabilities] by threat actors in the wild, the likelihood of future exploitation of [the new vulnerabilities], the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”
Bad actors have already done this with prior vulnerabilities in VMware software in April, reverse engineering updates the company made that month to begin exploiting instances of the products that went unpatched within 48 hours, CISA said.
In a related cybersecurity advisory published Tuesday, CISA said it has “deployed an incident response team to a large organization where the threat actors exploited” those vulnerabilities from April. The agency has also “received information—including indicators of compromise (IOCs)—about observed exploitation at multiple other large organizations from trusted third parties.”
The federal government’s lead cyber agency believes hackers could exploit the vulnerabilities to “trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to ‘root’ (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972).” CISA also believes based on third-party reports that bad actors may chain the vulnerabilities for full system control.
For any federal instances of the VMware products connected to the internet, CISA directs agencies to immediately disconnect them, assume compromise and then continue threat hunting activities, reporting any anomalous activity immediately.
This emergency directive is the first since CISA in December ordered federal agencies to assess their internet-facing networks for the Apache Log4j vulnerability and immediately patch the systems. CISA Director Jen Easterly described the Log4j bug as perhaps “the most serious” she’d seen in her career.