Patch your VMware gear now – or yank it out, Uncle Sam tells federal agencies

Critical authentication bypass revealed, older flaws under active attack

Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) has issued two warnings in a single day to VMware users, as it believes the virtualization giant's products can be exploited by miscreants to gain control of systems.

The agency rates this threat as sufficiently serious to demand US government agencies pull the plug on their VMware products if patches can’t be applied.

Of the two warnings, one highlights a critical authentication bypass vulnerability – CVE-2022-22972, rated 9.8 out of 10 on the CVSS scale – that VMware revealed on Wednesday.

The flaw impacts five products: Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, vRealize Suite Lifecycle Manager and VMware Cloud Foundation. We're told "a malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate."

The vulnerability in Cloud Foundation is terrifying, as that product is VMware’s tool for building and managing hybrid multi-cloud rigs running virtual machines and containers. That means an unauthorized user may be able to gain admin-level privileges and drive those resources on-prem, and potentially also on VMware-powered public clouds, of which there are over 4,000 run by VMware partners, plus partnerships with AWS, Microsoft, Google, Oracle, IBM Cloud, and Alibaba Cloud.

The impact on the other products is also significant, as Identity Manager and Workspace ONE Access control can grant access to apps and SaaS services through VMware’s application publishing tools, while vRealize has wide automation abilities that could touch on many aspects of hybrid cloud operations.

A second flaw, CVE-2022-22973, also revealed Wednesday allows attackers to become root in VMware Workspace ONE Access and VMware Identity Manager. The flaw is rated 7.8 out of 10.

The threat posed by the two security holes is so significant that CISA issued an emergency directive requiring US civilian government agencies to pull any internet-exposed implementations of Virtzilla’s vulnerable wares from production by May 23 as they should be considered compromised. US government agencies must also enumerate all use of the impacted products and patch them by the same deadline. If patching isn’t possible, CISA wants the products removed from agency networks whether they are internet-facing or not.

VMware is very widely used by US government agencies. If its products are turned off, considerable productivity and service disruption will likely follow.

CISA’s other warning to VMware users regards the flaws the IT giant revealed in early April 2022. The cybersecurity agency says attackers it feels are probably advanced persistent threat actors are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination to gain “full system control.” The flaws disclosed in April impact the same products as those hit by today’s disclosure.

A CISA incident response team is already working at a “large organization where the threat actors exploited CVE-2022-22954,” the agency’s advisory states. Indicators of exploitation and compromise have been spotted “at multiple other large organizations from trusted third parties.”

VMware’s FAQ about today’s disclosure asks, “Why is there a second VMSA for these software components?”

VMware’s answer states:

When a security researcher finds a vulnerability it often draws the attention of other security researchers, who bring different perspectives and experience to the research. VMware recognizes that additional patches are inconvenient for IT staff, but we balance that concern with a commitment to transparency, keeping our customers informed and ahead of potential attacks.

Yet as the CISA advice suggests, VMware customers are not getting ahead of these attacks. Instead, they’re on a patching treadmill. ®

Other stories you might like

  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • VMware reveals vSphere-as-a-service – but not the price
    Cloudy vSphere+ can manage multiple on-prem environments but not VMw-powered public clouds … for now

    VMware today revealed details about Project Arctic, the vSphere-as-a-service offering it teased in late 2021, though it won't discuss pricing for another month.

    VMware's thinking starts with the fact that organizations are likely to run multiple instances of its vSphere and VSAN products, often in multiple locations. Managing them all centrally is not easy.

    Enter vSphere+ and VSAN+, which run in the cloud and can control multiple on-premises instances of vSphere or VSAN. To make that possible, users will need to adopt the Cloud Gateway, which connects vSphere instances to a Cloud Console.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading

Biting the hand that feeds IT © 1998–2022