CISA: Unpatched VMware Products Pose ‘Unacceptable Risk To Federal Network Security’

VMware says the vulnverabilities it disclosed in April have since been exploited. The federal government is warning the software’s users to immediately patch five products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

The federal government is warning that unpatched VMWare products pose “an unacceptable risk to federal network security” while sounding the alarm for the software’s users to immediately apply updates to guard against intrusions on their own networks.

“These vulnerabilities pose an unacceptable risk to federal network security,” said Cybersecurity and Infrastructure Security Agency Director Jen Easterly in a statement Wednesday. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the federal government’s lead and take similar steps to safeguard their networks.”

Meanwhile, BleepingComputer is reporting that North Korean hackers have used a separate 2021 VMware exploit to install malware related to Log4J. The website said hackers are using “Vmware Horizon’s Apache Tomcat service to execute a PowerShell command. This PowerShell command will ultimately lead to installing the NukeSped backdoor on the server.”

VMware did not reply to a question about that exploit. It is not clear if they are related.

[RELATED: The Log4J Vulnerability: News And Analysis]

The vulnerabilities CISA warned users about Thursday have hit five products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

“Exploiting one of the four vulnerabilities permits attackers to execute remote code on a system without authentication and elevate privileges,” CISA wrote in its warning.

VMware encouraged customers who have not yet updated those products, to use a set of cumulative patches that the vendor provided in its May 19 security advisory, VMSA-2022-0014.

“The new cumulative patches address both the vulnerabilities from our April advisory, including CVE-2022-22954, as well as two additional vulnerabilities that were subsequently found and resolved in the same products,” the company said in a statement. “Workarounds have also been provided.”

Dustin Bolander, the CIO and founder of Clear Guidance Partners, an MSP in Austin, Texas, said in addition to making his own shop has its patches up-to-date, he reached out to vendor partners he knows are using VMware to make sure their versions of the popular software are up to date.

“Generally we put a ticket in and say, ‘We need an update in the next 24 hours. We need to know patch security.”

Bolander said most vendors are quick to respond, however some in the MSP space ignore their partners when these issues arise. He said the vendor piece is a critical step in security response.

“Statistically, if you have good security practices and you are doing all the things you are supposed to, its going to be one of your vendors that gets you compromised,” he said.

VMware said it first notified users and issued patches to the affected products on April 6. Those patches removed the vulnerability around “CVE-2022-22954” which could exploit VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager, the company said.

However, after that warning, unpatched versions of the product were maliciously used by bad actors, though VMware declined to provide details.

“Exploitations of that critical CVE have since been reported in unpatched instances, and yesterday CISA issued an emergency directive for Federal entities to patch immediately,” VMware said in a statement it attributed to a spokesperson.

Bolander said, for him, it was a reminder for all solution providers to keep their eyes open.

“Anytime these events come up I’m watching the news like a hawk,” he said.

One of the hacks, CVE-2022-22954, reached a 9.8 out of 10 on the Common Vulnerability ScoringSystem rating that ranks the severity of exploits. That is considered a “critical” threat. The CVSS score considers several aspects of the threat such as its complexity, the privileges required to carry it out – what if any exploit is required to carry it out at all – and what attackers can do once they are inside the environment.

When the threat is that pronounced, everyone begins calling their MSP, said Matt Hildebrandt, chief technology officer at StrataDefense, an MSSP in Wasseau, Wisc. He said there is some comfort in the fact that the affected software are not some of VMware’s more popular solutions.

“The entire world is watching news alerts from people like CISA,” he said. “The struggle is, typically, line of business folks are not reading far enough down in the article and it is causing some panic. Most of them are not using these products. These are all the peripheral things that are having problems on a regular basis.”

That said, Hildebrandt said, the CISA warning, while “stark” is none-the-less needed to reach busy folks who might otherwise not listen.

“It is very stark,” he said. “Given the language around it, I don’t think it’s too strong. If it gets people to pay attention, then it’s done its job. If it gets everyone thinking in security mindset, like ‘Hey we have to take vulnerabilities seriously.’ Then good. Look, Home Depot, Target. They all started with one machine that was allowed to do too much on the network. That’s how it starts.”