The BSI reports that a combined exploitation of critical vulnerabilities can allow the takeover of selected VMWare products. The issue has a warning status of Yellow. The Common Vulnerability Scoring System (CVSS) rates the vulnerabilities at 7,8 (high) and 9,8 as critical.
On May 18.05.2022th, 2022 the company VMWare published the security advisory VMSA-0014-2022 with information on two critical vulnerabilities in various VMWare products. A combined exploit of the CVE-22972-2022 and CVE-22973-XNUMX vulnerabilities could allow attackers to gain administrative access with root privileges without authentication.
The following products are affected by these two vulnerabilities
- VMware Workspace ONE Access (Access) (Version <= 21.08.0.1),
- VMware Identity Manager (vIDM) (version <= 3.3.6),
- VMware vRealize Automation (vRA) (version <= 7.6),
- VMware Cloud Foundation (version <= 4.3.x),
- vRealize Suite Lifecycle Manager (version <= 8.x).
CVE-2022-22972 is an authentication bypass vulnerability that allows an attacker with network access through the Direct Console User Interface (DCUI) of the VMWare products to gain administrative access obtain without having to authenticate (see [MIT2022a]). CVE-2022-22973 enables local privilege escalation, which allows local attackers to gain root privileges.
VMware Vulnerabilities “High” and “Critical”
According to the Common Vulnerability Scoring System (CVSS), the severity of the vulnerabilities is classified as “critical” (CVE-9.8-2022) at 22972 or “high” (CVE-7.8-2022) at 22973 (CVSSv3). The American Cybersecurity & Infrastructure Security Agency (CISA) reported on May 18.05.2022, 2022 that attackers (including Advanced Persistent Threat (APT) groups) had succeeded in exploiting the CVE-22954-2022 and CVE-22960-vulnerabilities patched in April. 2022 to exploit. Based on this experience, CISA assumes that CVE-22972-2022 and CVE-22973-XNUMX could also be exploited in the near future. The BSI currently has no information regarding active exploitation of the published vulnerabilities.
Precautions and recommendations of the BSI
Basically, the DCUI should not be accessible from the Internet. Therefore, this option is disabled by default by the manufacturer. If this is not the case, it is advisable to immediately disconnect the corresponding device from the network and check the network for anomalies. CISA provides corresponding Snort signatures, YARA rules and Indicators of Compromise (IoC).
The BSI strongly recommends importing the current version of the VMWare products. Security patches can be obtained from the official VMware Patch Download Center (see [VMW2022a]). If it is not possible to switch to a secure version of the software immediately, the manufacturer recommends implementing a temporary workaround as soon as possible (see [VMW2022a]) until the security patches can be installed. The manufacturer has also provided an FAQ website about the vulnerabilities.
More at BSI.Bund.de
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.