DHS recommends patching VMware, probably you should too

The Department of Homeland Security is urging US federal agencies to “patch or remove” a list of VMware products within five days. Probably you should do it too.

Critical vulnerabilities in VMWare products

On May 18 VMware patched two vulnerabilities in its products: CVE-2022-22972 and CVE-2022-22973. To emphasize the severity of the problem, on the same day the US Department of Homeland Security issued a directive obliging all Federal Civilian Executive Branch (FCEB) agencies to close these vulnerabilities in their infrastructure within five days — by installing patches, and if this is not possible, by removing VMware products from the agency network. So it looks like it makes sense to follow the example of American government agencies and immediately install patches.

What are the vulnerabilities?

The vulnerabilities affect five of the company’s products — VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

The first vulnerability, CVE-2022-22972, with a severity rating of 9.8 on the CVSS scale, is especially dangerous. Its exploitation can allow an attacker to gain administrator rights in the system without any authentication.

The second vulnerability, CVE-2022-22973, is related to privilege escalation. To exploit it, attackers must already have some rights in the attacked system; for this reason its severity level is somewhat lower — 7.8 on the CVSS scale. However, this bug should also be taken seriously, as it allows attackers to elevate privileges on the system to the root level.

More information can be found in the official FAQ on this issue.

Real severity of vulnerabilities CVE-2022-22973 and CVE-2022-22972

Neither VMware nor CISA experts are yet aware of any exploitation of these vulnerabilities in the wild. However, there’s a good reason for CISA’s emergency directive: in early April VMware closed several vulnerabilities in the same products, yet just 48 hours later attackers began to exploit them (on servers where Vmware software hadn’t been patched yet). In other words, on that occasion it took the attackers less than two days to create exploits, and obviously there is a concern that this could happen again this time as well.

Moreover, CISA experts believe that someone could use the two new vulnerabilities in conjunction with the April batch (specifically, CVE 2022-22954 and CVE 2022-22960) to perform sophisticated targeted attacks. For this reason they’ve required all federal agencies to close the vulnerabilities by 5:00PM EDT on May 23, 2022.

How to avoid vulnerabilities being exploited in VMWare products

VMware recommends first updating all vulnerable software to supported versions, and only then installing patches. You can check the current versions on the VMware LogoProduct Lifecycle Matrix page. Before installation, it’s advised to create backups or take snapshots of programs that need updating. Patches and installation tips can be found in the VMware Knowledge Base.

On top of that, you shouldn’t forget that all information systems that have access to the Internet must have reliable security solutions installed. In the case of virtual environments, specialized protection should be used.

As an additional layer of protection, it also makes sense to use solutions that allow you to monitor activity across infrastructure and identify signs of malicious presence before attackers have time to do any real damage.

Tips