The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to fix critical vulnerabilities in VMware products by Monday or remove the products from service.<\/p>\n\n\n\n
Multiple VMware products are affected by two new critical vulnerabilities that the company issued updates for yesterday. Recorded as CVE-2022-22972<\/a> and CVE-2022-22973<\/a>, the bugs allow an authentication bypass and a local privilege escalation.<\/p>\n\n\n\n In ordering federal agencies to patch<\/a> affected products quickly, CISA said in its emergency directive<\/a> that it “expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities.”<\/p>\n\n\n\n The authentication bypass is the most critical of the vulnerabilities, as an attacker with simple network access can gain administrative access without authentication. As a result, CVE-2022-22972 was rated a 9.8, just below the highest critical severity rating. The exploit can also be chained with the local privilege escalation (CVE-2022-22973) to gain root access.<\/p>\n\n\n\n VMware has published<\/a> a detailed list of vulnerable products:<\/p>\n\n\n\n CISA noted in its directive that “these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action.”<\/p>\n\n\n\n “Exploiting the above vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954<\/a>); escalate privileges to ‘root’ (CVE-2022-22960<\/a> and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972),” the agency added.<\/p>\n\n\n\n CVE 2022-22954 and CVE 2022-22960 were detected in April and allow hackers to gain full control of the targeted systems.<\/p>\n\n\n\n VMware customers must immediately patch Workspace ONE Access, Identity Manager, and vRealize Automation, CISA said. The agency also strongly encouraged administrators to run behavioral analysis<\/a> on root accounts to detect any suspicious activity and collect IoCs (indicators of compromise).<\/p>\n\n\n\n If you have affected VMware products that are accessible from the internet, you should “Assume compromise, immediately disconnect from the production network,” and conduct threat hunting<\/a> activities as outlined in a CISA alert<\/a>.<\/p>\n\n\n\n Read next: Top Vulnerability Management Tools for 2022<\/strong><\/a><\/p>\n\n\n