Number: AL22-006
Date: 19 May 2022
Audience
This Alert is intended for IT professionals and managers of notified organizations.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Overview
On 18 May 2022 VMware published a Security Advisory to address vulnerabilities in multiple products Footnote 1. Of these vulnerabilities, CVE-2022-22972 has been rated as critical with a maximum CVSSv3 base score of 9.8. Open-source analysis indicates that systems within Canada may be vulnerable to exploitation by this and related vulnerabilities.
Details
On 18 May 2022 VMware published a Security Advisory to address two vulnerabilities, CVE-2022-22972 and CVE-2022-22973, in multiple products Footnote 1. One of these vulnerabilities, CVE-2022-22972, has a CVSSv3 score of 9.8 and could result in administrative access via authentication bypass. On the same day, the Cybersecurity and Infrastructure Security Agency (CISA) published an Emergency Directive to raise awareness of previous VMware vulnerabilities that are actively being exploited (CVE 2022-22954 and CVE 2022-22960) and instructs federal organisations to patch all four of these vulnerabilities as soon as possible Footnote 2.
The following products are affected:
- VMware Cloud Foundation – multiple versions
- VMware Identity Manager – multiple versions
- VMware vRealize Automation – versions 7.6 and 8.x
- VMware vRealize Suite Lifecycle Manager – versions 8.x
- VMware Workspace ONE Access – multiple versions
CISA indicates that after observing the short amount of time required to reverse engineer and begin exploiting CVE 2022-22954 and CVE 2022-22960, advanced persistent threat (APT) actors are highly likely to exploit CVE-2022-22972 and CVE-2022-22973 within a short timeframe. CISA states that exploitation of these vulnerabilities may permit malicious actors to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954), elevation of privileges to 'root' (CVE-2022-22960 and CVE-2022-22973) and the ability to obtain administrative access without the need to authenticate (CVE-2022-22972).
Recommended actions
The Cyber Centre recommends organizations follow the instructions provided by VMware Footnote 3, which include:
- Upgrade instances of unsupported versions to a newer, supported version before applying the patch. This patch will not work on unsupported versions.
- Take a snapshot or backup of the appliance(s) and the database server before applying the procedure.
- Download and install the patches provided by VMware.
- If patches cannot be immediately applied, VMware has provided a workaround as a temporary solution. It should be noted that applying the workaround will result in the loss of certain functionality.
In addition, the Cyber Center recommends that any Internet-accessible systems using affected products that have not been patched in response to VMware security advisories VMSA-2022-0011.1 Footnote 4 and VMSA-2022-0014 Footnote 1 should be disconnected until patching and an assessment that no exploitation has occurred are complete.
On 18 May 2022, CISA released Alert AA22-138B which outlines threat activity targeting unpatched VMware vulnerabilities that could result in full system control Footnote 5. The Alert contains various methods to detect malicious activity as well as incident response recommendations.
Should organizations identify associated activity to that described in this Alert, recipients are encouraged to contact the Cyber Centre by email (contact@cyber.gc.ca) or by telephone (1-833-CYBER-88 or 1-833-292-3788).