{"id":19090,"date":"2022-05-19T05:10:08","date_gmt":"2022-05-19T13:10:08","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/05\/19\/news-12823\/"},"modified":"2022-05-19T05:10:08","modified_gmt":"2022-05-19T13:10:08","slug":"news-12823","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/19\/news-12823\/","title":{"rendered":"VMWare vulnerabilities are actively being exploited, CISA warns"},"content":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Thu, 19 May 2022 12:42:13 +0000<\/strong><\/p>\n<p>The Cybersecurity &amp; Infrastructure Security Agency has issued an Emergency Directive <a href=\"https:\/\/www.cisa.gov\/emergency-directive-22-03\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">ED 22-03<\/a> and released a <a href=\"http:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-138b\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Cybersecurity Advisory (CSA)<\/a> about ongoing, and expected exploitation of multiple vulnerabilities in several VMware products.<\/p>\n<h2>Chaining unpatched VMware vulnerabilities<\/h2>\n<p>The title of the advisory is \u201cThreat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control\u201d. That&#8217;s a bit confusing since there are patches available for these vulnerabilities, but threat actors are actively attacking unpatched systems. <\/p>\n<p>The advisory warns organizations that malicious threat actors, most likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination.<\/p>\n<p><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-22954\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>CVE-2022-22954<\/strong><\/a>: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.<\/p>\n<p>Server-side template injection is when an attacker is able to inject a malicious payload into a template, which is then executed server-side.<\/p>\n<p><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-22960\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>CVE-2022-22960<\/strong><\/a>: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to root.<\/p>\n<p>Both these vulnerabilities were patched on April 6, 2022. But it took malicious threat actors less than 48 hours to reverse engineer the vendor updates to develop an exploit and start exploiting these disclosed vulnerabilities in unpatched devices.<\/p>\n<p>On May 18, 2022, CISA said it expects malicious threat actors to quickly develop a capability to exploit CVE-2022-22972 and CVE-2022-22973 as well.<\/p>\n<p><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-22972\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>CVE-2022-22972<\/strong><\/a>: is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users. In order to exploit this vulnerability, a remote attacker capable of accessing the respective user interface could bypass the authentication for these various products.<\/p>\n<p><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-22973\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>CVE-2022-22973<\/strong><\/a>: is a local privilege escalation vulnerability in the VMware Workspace ONE Access and Identity Manager. In order to exploit this vulnerability, an attacker would need to have local access to the vulnerable instances of Workspace ONE Access and Identity Manager. Successful exploitation would allow an attacker to gain \u201croot\u201d privileges.<\/p>\n<h2>Mitigation<\/h2>\n<p>CISA strongly encourages all organizations to deploy the updates provided in VMware Security Advisory <a href=\"https:\/\/www.vmware.com\/security\/advisories\/VMSA-2022-0014.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">VMSA-2022-0014<\/a> or remove those instances from networks. CISA added CVE-2022-22954 and CVE-2022-22960 to its <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">catalog of known exploited vulnerabilities<\/a>, and federal, executive branch, departments, and agencies were all required to patch those vulnerabilities by May 5 and May 6 respectively. It stands to reason that the two new vulnerabilities will follow suit.<\/p>\n<p>CISA encourages organizations with affected VMware products that are accessible from the Internet to assume they have been compromised and to initiate threat hunting activities. To help with the threat hunting, CISA has provided detection methods and indicators of Compromise (IOCs) in the <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-138b\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CSA<\/a>.<\/p>\n<p>In the Response Matrix, as listed in the <a href=\"https:\/\/www.vmware.com\/security\/advisories\/VMSA-2022-0014.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">VMWare advisory<\/a>, you can find the impacted products and versions.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2022\/05\/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns\/\">VMWare vulnerabilities are actively being exploited, CISA warns<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2022\/05\/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Pieter Arntz| Date: Thu, 19 May 2022 12:42:13 +0000<\/strong><\/p>\n<p>CISA has issued severe warnings about disclosed vulnerabilities in VMWare products that are actively being exploited, probably by APT threat actors.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/exploits-and-vulnerabilities\/2022\/05\/vmware-vulnerabilities-are-actively-being-exploited-cisa-warns\/\">VMWare vulnerabilities are actively being exploited, CISA warns<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[23583,26209,26210,26211,26212,26213,22783,26214,14138,26215,26216],"class_list":["post-19090","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cisa","tag-cve-2022-22954","tag-cve-2022-22960","tag-cve-2022-22972","tag-cve-202222973","tag-ed-22-03","tag-exploits-and-vulnerabilities","tag-identity-manager","tag-vmware","tag-vrealize","tag-workspace-one-access"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19090","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19090"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19090\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19090"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19090"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19090"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}