The federal government warned that unpatched VMWare products pose an “unacceptable risk to federal cybersecurity” and warned software users to immediately apply the updates to protect against intrusions on their network.
“These vulnerabilities pose an unacceptable risk to federal cybersecurity,” Cybersecurity and Infrastructure Administration Director Jen Easterly said in a statement Wednesday. “CISA has issued this Emergency Directive to ensure that federal civil authorities take urgent action to protect their networks. We also strongly urge every organization – large and small – to follow the direction of the federal government and take similar steps to protect their networks.”
Meanwhile, BleepingComputer is reporting that North Korean hackers used a separate VMware 2021 exploit to install Log4J-related malware. The website says hackers are using “Vmware Horizon’s Apache Tomcat service to execute PowerShell commands. This PowerShell command will eventually lead to the installation of the NukeSped backdoor on the server. ”
VMware did not respond to a question about that exploit. It is not clear if they are related.
[RELATED: The Log4J Vulnerability: News And Analysis]
The vulnerabilities that CISA warned users on Thursday hit five products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
“Exploiting one of the four vulnerabilities allows an attacker to remotely execute code on a system without authentication and elevation of privileges,” CISA wrote in its warning.
VMware encourages customers who have not yet updated those products to use a cumulative set of patches that the vendor provided in its May 19 security advisory, VMSA-2022-0014.
The new cumulative patches address both the vulnerabilities from our April advisory, including CVE-2022-22954, as well as two additional vulnerabilities that were subsequently released, the company said in a statement. found and addressed in similar products”. “Alternative solutions have also been provided.”
Dustin Bolander, CIO and founder of Clear Guidance Partners, an MSP in Austin, Texas, said that in addition to making his own store with updated patches, he’s been in contact with vendor partners that he knows are using VMware to make sure their popular software versions are up to date.
“Generally, we book tickets and say, ‘We need an update in the next 24 hours. We need to know patch security.”
Bolander says most vendors are quick to respond, yet some in the MSP space ignore their partners when these issues arise. The supplier’s puzzle piece is an important step in the security response, he said.
“Statistically, if you have good security practices and you’re doing all the things you’re supposed to do, that’s going to be one of the vendors that leaves you vulnerable,” he said.
VMware said it first notified users and released patches for affected products on April 6. Those patches removed the vulnerability around exploitable “CVE-2022-22954” exploit VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager, the company said.
However, after that warning, unpatched versions of the product were used by bad actors with malicious intent, although VMware declined to provide details.
“That critical CVE exploit has been reported in unpatched cases, and yesterday CISA issued an urgent directive for Federal entities to patch it immediately,” VMware said in a statement. father by the spokesman.
For him, it’s a reminder for all solution providers to keep an eye out, Bolander said.
“Whenever these events happen, I watch the news like a hawk,” he said.
One of the hacks, CVE-2022-22954, scored 9.8 out of 10 on the Common Vulnerability ScoringThe rating system ranks the severity of the exploit. That is considered a “critical” threat. The CVSS score considers several aspects of the threat such as its complexity, the privileges required to execute it – what would happen if any exploits were required to execute it – and what What an attacker can do while they are in the environment.
When the threat was announced, people started calling their MSP, said Matt Hildebrandt, chief technology officer at StrataDefense, an MSSP in Wasseau, Wisc. There is some comfort, he said, that the affected software is not some of VMware’s more popular solutions.
“The whole world is watching news announcements from people like CISA,” he said. “Often the struggle is that business people don’t read the article deeply enough and it is causing some panic. Most of them do not use these products. These are all the peripheral things that frequently run into problems.”
That said, Hildebrandt said, CISA cautions, while “rigorous” is not necessary to reach busy people who may not be listening.
“It was very clear,” he said. “Given the language around it, I don’t think it’s too strong. If it gets people’s attention, it’s done its job. If it makes people think in a security mindset, like ‘Hey, we have to take security holes seriously.’ Good then. Look, Home Depot, Target. It all starts with a machine that is allowed to do so many things on the network. That’s how it started. ”