High Severity VMware Vulnerabilities Under Active Exploitation

This bulletin was written by Travis Holland and Eric Dodge of the Kudelski Security Threat Detection & Research Team

Executive Summary

On May 18^th, 2022, the U.S Cybersecurity and Infrastructure Security Agency (CISA) released Emergency Directive 22-03 requiring U.S Federal Government agencies to patch VMware vulnerabilities under active exploitation or vulnerabilities CISA expects to be exploited in the next 48 hours. Due to active exploitation of vulnerabilities made public in April, and additional vulnerabilities published in May, the Cyber Fusion Center strongly advises all organizations with vulnerable instances to take immediate action. 

VMware has released two security advisories related to vulnerabilities that may be exploited by Nation State and advanced threat actors. VMSA-2022-0014 was issued on May 18^th and contains detailed for two newly disclosed vulnerabilities: An authentication bypass issue, assigned, CVE-2022-22972 which impacts VMware Workspace ONE Access, Identity Manager and vRealize Automation, Additionally, a Privilege Escalation vulnerability was also disclosed, the vulnerability was assigned CVE-2022-22973, and impacts VMware Workspace ONE Access and Identity Manager.  At this time neither are known to have been exploited in the wild, however, CISA, VMware, and the CFC expect threat actors to begin exploitation of these issues shortly.

In April of 2022, VMware produced a separate security advisory, VMSA-2022-0011, which contained details of eight (8) vulnerabilities, ranging from critical to moderate. The vulnerabilities disclosed in April include remote code execution, authentication bypass, local privilege escalation issues, and more. The vulnerabilities disclosed in April impact a wide range of VMware products, including VMware Workspace ONE Access, Identity Manager, and vRealize Automation. Some of the vulnerabilities disclosed in April are known to have been actively exploited in the wild by a wide range of threat actors. VMware has provided patches and workarounds for all identified vulnerabilities; however, the CFC strongly advises organizations to apply patches rather than leverage temporary workarounds as the workarounds can have a noticeable impact on business operations.

For additional details about these vulnerabilities, including versions of VMware software impacted, please review the rest of this bulletin.

Summary of VMware Product Versions Impacted by April and May 2022 Vulnerabilities

Below is a table that highlights which VMware products are impacted by the vulnerabilities disclosed by VMware throughout the months of April and May. For additional details on these vulnerabilities, please review the contents of this bulletin and, if applicable, any linked sources and content.

VMware Vulnerabilities Disclosed in May 2022 (VMSA 2022-0014)

On May 18^th VMware released an advisory for two new vulnerabilities: CVE-2022-22972 and CVE-2022-22973. Those are broken down into an authentication bypass, and a local privilege escalation issue. They require network/local access to the respective VMware product User Interfaces in order to properly exploit the vulnerabilities. Due to the nature of these vulnerabilities, CISA has pushed an emergency directive requiring U.S Government Agencies to patch or mitigate these issues within 5 days. The vulnerabilities are not currently being exploited; it is expected to start occurring within the next 48 hours based on previous reverse engineering of similar vulnerabilities from April 2022.

Authentication Bypass Vulnerability (CVE-2022-22972)

CVE-2022-22972 is a critical severity authentication bypass vulnerability with a CVSSv3 score of 9.8.  This vulnerability allows authentication bypass impacting any local domain users and requiring network access to the software’s User Interface.

Note that for some software systems, such as VMware Workspace ONE Access or VMware Identity manager, the User Interfaces may be intentionally exposed to the internet and thus should be prioritized for remediation.

Component(s) Impacted

• Workspace ONE Access
• Identity Manager
• vRealize Automation

Local Privilege Escalation (CVE-2022-22973)

CVE-2022-22973 is an important local privilege escalation vulnerability with a CVSSv3 score of 7.8. This vulnerability allows a malicious actor with local access to escalate privileges to ‘root

Component(s) Impacted

• Workspace ONE Access
• Identity Manage

Resolution/Mitigation

VMware recommends patching as soon as possible to remediate CVE-2022-22972 and CVE-2022-22973. The patch instructions can be found in KB88438, also provided below in the sources section. There currently is a workaround; however, it may have an impact on business operations, and patching is highly recommended. The workaround will make admins unable to log into Workspace ONE console via the local admin account. More information on performing the workaround can be found in KB8843; which is available below in the sources section.

VMware Vulnerabilities Disclosed in April 2022 (VMSA 2022-0011)

Multiple vulnerabilities have been identified to impact several VMware products including Workspace ONE Access, Identity Manager, vRealize Automation, Cloud Foundation and vRealize Suite Lifecycle Manager.  The Cyber Fusion Center is aware of several threat actors actively exploiting these vulnerabilities for initial access and strongly recommends organizations with vulnerable versions of the software assume breach and investigate deployments for potential compromise.  VMware has provided patches to remediate all identified vulnerabilities and patches should be applied immediately.

Details regarding the vulnerabilities disclosed by

Server-side Template Injection (CVE-2022-22954)

Critical severity remote code execution vulnerability exploiting server-side template injection with CVSSv3 score of 9.8.  This vulnerability allows a malicious actor with network access the ability to trigger a server-side template injection potentially allowing code execution. This vulnerability is known to have been used by several threat actors to gain initial access to organizations with these VMware products deployed.

Component(s) Impacted

• Workspace ONE Access
• Identity Manager

OAuth2 ACS Authentication Bypass (CVE-2022-22955, CVE-2022-22956)

Critical severity authentication bypass vulnerability in the OAuth2 ACS Framework with a CVSSv3 score of 9.8.  This vulnerability allows authentication bypass which allows the malicious actor the ability to execute any operation due to exposed endpoints in the authentication framework.

Component(s) Impacted

• Workspace ONE Access

JDBC Injection Remote Code Execution (CVE-2022-22957, CVE-2022-22958)

Critical severity remote code execution vulnerabilities with a CVSSv3 score of 9.1.  This vulnerability allows code execution by triggering deserialization of untrusted data through a malicious JDBC URI.

Component(s) Impacted

• Workspace ONE Access
• Identity Manager
• VRealize Automation

Cross Site Request Forgery (CVE-2022-22959)

Important severity cross site request forgery vulnerability with a CVSSv3 score of 8.8.  This vulnerability allows a malicious actor to trick a user into validating a malicious JDBC URI through cross site request forgery.

Component(s) Impacted

• Workspace ONE Access
• Identity Manager
• VRealize Automation

Local Privilege Escalation (CVE-2022-22960)

Important severity local privilege escalation vulnerability with a CVSSv3 score of 7.8.  This vulnerability allows a malicious actor with local access to escalate privileges to ‘root.’

Component(s) Impacted

• Workspace ONE Access
• Identity Manager
• VRealize Automation

Information Disclosure (CVE-2022-22961)

Moderate severity information disclosure vulnerability with a CVSSv3 score of 5.3.  This vulnerability allows a malicious actor with remote access to leak the hostname of the targeted system potentially leading to targeting victims.

Component(s) Impacted

• Workspace ONE Access
• Identity Manager
• VRealize Automation

Resolution/Mitigation

VMware recommends applying available patches as soon as possible to the vulnerabilities described in this bulletin. The patch instructions can be found in KB88099, also provided below in the sources section.

VMware has provided temporary workarounds; however, they is a high likelihood that these workarounds will impact business operation. As such, the CFC strongly recommends applying patches as soon as possible rather than applying workarounds. Information on performing the workaround can be found in KB88098; which is available below in the sources section.

Sources

• https://www.cisa.gov/emergency-directive-22-03
• https://www.vmware.com/security/advisories/VMSA-2022-0014.html
• https://www.vmware.com/security/advisories/VMSA-2022-0011.html
• https://kb.vmware.com/s/article/88438
• https://kb.vmware.com/s/article/88433
• https://kb.vmware.com/s/article/88099
• https://kb.vmware.com/s/article/88098