Unpatched VMware Products Pose an “Unacceptable Risk to Federal Network Security”

Federal government warns that unpatched VMWare products pose “unacceptable risk to federal network security” while sounding alarm for software users to immediately apply updates to guard against intrusions on their own networks .

“These vulnerabilities pose an unacceptable security risk to the federal network,” Cybersecurity and Infrastructure Security Agency Director Jen Easterly said in a statement Wednesday. “CISA issued this emergency directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge all organizations, large and small, to follow the lead of the federal government and take similar steps to protect their networks.

Meanwhile, BleepingComputer reports that North Korean hackers used a separate VMware 2021 exploit to install malware related to Log4J. The website states that hackers are using “Vmware Horizon’s Apache Tomcat service to run a PowerShell command. This PowerShell command will ultimately lead to the installation of the NukeSped backdoor on the server.

VMware did not respond to a question about this exploit. It is unclear if they are related.

[RELATED: The Log4J Vulnerability: News And Analysis]

The vulnerabilities that CISA warned users on Thursday affected five products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

“Exploitation of any of the four vulnerabilities allows attackers to remotely execute code on a system without authentication and elevate privileges,” CISA wrote in its advisory.

VMware encouraged customers who have not yet updated to these products to use a set of vendor-supplied rollups in its May 19 security advisory, VMSA-2022-0014.

“The new update rollups address both vulnerabilities from our April advisory, including CVE-2022-22954, as well as two additional vulnerabilities that were later found and resolved in the same products,” the company said in a statement. communicated. “Workarounds were also provided.”

Dustin Bolander, CIO and founder of Clear Guidance Partners, an MSP in Austin, Texas, said that in addition to making sure his own store has its patches up to date, he reached out to vendor partners he knows how to use. VMware to ensure their versions of popular software are up to date.

“Usually we put in a ticket and say, ‘We need an update in the next 24 hours. We need to know about patch security.

Bolander said most vendors respond quickly, but some in the MSP space ignore their partners when these issues arise. He said the vendor coin is a critical step in the security response.

“Statistically, if you have good security practices and do everything you’re supposed to do, it’s going to be one of your vendors that compromises you,” he said.

VMware said it first notified users and released fixes for affected products on April 6. These patches removed the vulnerability around “CVE-2022-22954” which could exploit VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager, the company said. .

However, after this warning, unpatched versions of the product were used maliciously by bad actors, although VMware declined to provide details.

“Exploits of this critical CVE have since been reported in unpatched instances, and yesterday CISA issued an emergency directive for federal entities to patch immediately,” VMware said in a statement attributed to a spokesperson.

Bolander said for him it was a reminder for all solution providers to keep their eyes peeled.

“Whenever these events occur, I watch the news like a hawk,” he said.

One of the hacks, CVE-2022-22954, scored 9.8 out of 10 on the Common Vulnerability ScoringSystem rating that ranks the severity of exploits. This is considered a “critical” threat. The CVSS score takes into account several aspects of the threat, such as its complexity, the privileges required to execute it – and whether an exploit is required to execute it – and what attackers can do once they are in. the environment.

When the threat is this pronounced, everyone starts calling their MSP, said Matt Hildebrandt, chief technology officer at StrataDefense, an MSSP in Wasseau, Wisc. He said there was some comfort in the fact that the affected software was not among VMware’s most popular solutions.

“The whole world watches news alerts from people like CISA,” he said. “The struggle is, usually people in the business line don’t read far enough into the article and that causes some panic. Most of them don’t use these products. It’s all the peripheral stuff. who regularly encounter problems.

That said, said Hildebrandt, CISA’s warning that “shrill” is nevertheless necessary to reach busy people who might otherwise not listen.

“It’s very hard,” he said. “Given the language around it, I don’t think it’s too strong. If it gets people’s attention, it’s done its job. If that gets everyone thinking about security, like “Hey, we need to take vulnerabilities seriously.” So good. Look, Home Depot, Target. They all started with a machine that was allowed to do too much on the network. That’s how it starts.

Kevin M. Risinger