VMware released updates for both vulnerabilities on April 6, 2022, and, according to CISA, hackers were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively. In accordance with Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies were required to apply updates for CVE-2022-22954 and CVE-2022-22960 by May 5, and May 6, 2022, respectively.
VMware Vulnerabilities Technical Details
CVE-2022-22954 enables an actor with network access to trigger a server-side template injection that may result in RCE. This vulnerability affects the following products:
- VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
- vIDM versions 3.3.6, 3.3.5, 3.3.4, 3.3.3
- VMware Cloud Foundation, 4.x
- vRealize Suite LifeCycle Manager, 8.
CVE-2022-22960 allows hackers with local access to escalate privileges to root due to improper permissions in support scripts. This vulnerability affects the following products:
- VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
- vIDM, versions 3.3.6, 3.3.5, 3.3.4, 3.3.3
- vRA, version 7.6
- VMware Cloud Foundation, 3.x, 4.x,
- vRealize Suite LifeCycle Manager, 8.x
According to CISA, threat actors may chain these vulnerabilities. At one compromised organization in April 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.
What Should You Do?
Patch your VMware systems as soon as possible, or remove the affected software from your network until a patch can be applied.
To stay up to date at all times, it’s important to deploy a cloud-based patch management solution to automatically update software whenever and wherever necessary. Most Managed Service Providers leverage one of the big three Remote Monitoring and Management (RMM) solutions (Connectwise, Datto, and Kaseya) for patching their managed systems. These RMM solutions also provide monitoring, and remote access in addition to tested and validated patching services to their clients.
Standalone patch management solutions for companies not using the above-mentioned RMM solutions include ManageEngine and Automox.
You have a Vulnerability Alert Management Process, right?
If you’re a subscriber to CyberHoot’s services, you’ll have access to our Policy and Process library which contains the vulnerability alert management process document. This document prescribes how to respond to situations like this and in what time frame. If your company has not yet adopted a VAMP-like process, now is a great time to get started.