In a directive posted on May 18, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) declared that all Federal Civilian Executive Branch agencies were required to perform actions on several VMware products:
- VMware Workspace ONE Access (Access),
- VMware Identity Manager (vIDM),
- VMware vRealize Automation (vRA),
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
This directive was released due to attackers being able to successfully reverse engineer a security patch that had been provided by VMware on the impacted products, and the suspicion that attacking agents could successfully reverse engineer a security update released on May 18 for two new vulnerabilities (CVE-2022-22972 and CVE-2022-22973). Potential exploits include the ability to escalate user privileges, execute code remotely within the network, and obtain access to administrative accounts or systems without needing to authenticate. It should be noted that both CVE-2022-22972 and CVE-2022-22973 carry a CVSSv3 rating of 7.8 (Important) or 9.8 (Critical).
CISA has recommended that first, impacted users enumerate all instances of the impacted software (listed above) that are deployed within a given network. Following enumeration of all installations, either install updates contained within VMware Security Advisory VMSA-2022-0014 or remove all installations until a secure, vetted update can be installed.
This is regarded as a notable occurrence due to the infrequency of urgent CISA directives being released. It is anticipated that an attacker who successfully exploits the listed VMware products could obtain sensitive information, compromise user systems, and obtain sustained access to organizations networks.
The RSM War Room will continue to monitor the ongoing situation and provide updates as necessary.