[German] VMware has fixed a critical bug in several of its products through updates. The vulnerability, CVE-2022-22972, allows administrative access without authentication and affects the Workspace ONE Access, VMware Identity Manager (vIDM) and vRealize Automation products. The U.S. Department of Homeland Security (DHS) cybersecurity division issued a directive to U.S. agencies to update or remove VMware products affected by vulnerabilities CVE-2022-22972 and CVE-2022-22973 from their networks within five days.
CVE-2022-22972 and CVE-2022-22973
The colleagues at Bleeping Computer weisen point out the VMware security advisory VMSA-2022-0014 , which applies to the following products.
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
An Authentication Bypass Vulnerability CVE-2022-22972 exists in these products, with a CVSSv3 Base Score of 9.8. This is because a malicious actor with network access to the user interface can gain administrative access in the above products without authentication.
In addition, there is a Local Privilege Escalation vulnerability CVE-2022-22973 in VMware Workspace ONE Access and Identity Manager, which has been rated with a CVSSv3 Base Score of 7.8. Attackers need local access, but can then use the vulnerability to gain root privileges. VMware provides updates for the affected products, which are listed around Advisory VMSA-2022-0014 . There is also a FAQ about the vulnerabilities and information on how to mitigate the vulnerabilities if necessary before applying the updates.
The DHS directive
he U.S. Department of Homeland Security's (DHS) Cyber Security Division has issued a directive directing U.S. agencies to update or remove VMware products affected by vulnerabilities CVE-2022-22972 and CVE-2022-22973 – and also affected by April 2022 security patches – from their networks within five days. The following tweet points to the EMERGENCY DIRECTIVE 22-03 MITIGATE VMWARE VULNERABILITIES.
By Monday, May 5, 2022, all affected VMware products in the affected U.S. entity must be identified and patched in accordance with VMware Security Advisory VMSA-2022-0014. Unpatched products must be removed from the agency's network until the update can be applied.
Unless updates are available because the products are no longer supported by the vendor (e.g., end of service, end of life), unsupported products must be removed from the agency's networks immediately.
n addition, all instances of affected VMware products that are accessible via the Internet must be removed. Agencies whose products were accessible via the Internet should be considered compromised. The production network must then be disconnected immediately and the threat hunting activities described by CISA CSA must be performed. VMware instances on government networks must also be reported to DHS by May 24, 2022.
