VMware authentication bypass flaws in various products get patched

Customers are warned to immediately patch the critical vulnerabilities with critical severity scores

The company addresses critical flaws and recommends to patch products as soon as possible

These two security flaws impacting VMware Workspace ONE Access, Identity Manager, VMware Cloud Foundation, and vRealize Automation could have been exploited by the attackers to deploy backdoors, and other malware to enterprise networks. These issues were reported by the Bruno Lopez of Innotec Security. He found that any malicious criminal could access the UI and obtain administrative access without the requirement to authenticate the access initially.^[1]

These flaws CVE-2022-22973 and CVE-2022-22972 could enable the attacker to access the local network with elevated privileges.^[2] These criminals can root users on vulnerable virtual appliances. This patch is important and the company wants that it is critical to take steps to mitigate these issues in on-premises deployment as soon as it is possible.^[3] The company leaves the patching up to admins and customers, but it is strongly recommended to patch these flaws, so issues in the future and potential cyber-attacks and incidents can be mitigated.

Previous vulnerabilities in VMware have been exploited recently, and those attempts involved botnet operators, and threat actors leveraging these flaws for malware deployment and DDoS attacks. These incidents have even led to CISA emergency directives that urged agencies to disconnect the devices from networks and apply updates by May 23rd.^[4]

Immediate action to avoid issues with multiple products

These vulnerabilities are particularly severe, so the company patches this authentication bypass and high severity local privilege escalation security flaws, potentially leading to elevated permissions on unpatched devices for attackers if exploited. VMware provides the installation instructions and a guide for patch downloads.

These particular patches are needed for VMware Workspace ONE Access; VMware Identity Manager; VMware vRealize Automation; VMware Cloud Foundation; vRealize Suite Lifecycle Manager. There are temporary workarounds for admins who cannot apply these patches immediately.

These processes require admins to disable all users except the one provisioned administrator and log in via SSH to restart the horizon-workspace service. These workarounds, however, are only helping at that time. It does not fully address the vulnerability CVE-2022-22972, which can be fixed with a patch.

The only way to remove the vulnerabilities from your environment is to apply the patches provided in VMSA-2021-0014. Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not

CISA releases advisory to address four critical VMware flaws

The US Cybersecurity and Infrastructure Agency that advanced persistent threat groups are exploiting.^[5] These two flaws were included alongside the bugs addressed earlier.^[6] Researchers note that the network access can be initiated by the unauthenticated actor and arbitrary code is possible to execute.

Shell commands and escalated privileges can lead to a lateral movement to other systems. Cybersecurity alerts also note that the criminals who exploit these flaws have also deployed post-exploitation tools such as the Dingo J-spy shell. It was observed with incidents with three organizations.

Soon after the public acknowledgments of the flaws on April 6th, researchers observed various attempts to exploit these CVE-2022-22954 and CVE-2022-22960 flaws. These attackers were observed to be working with IPs located in the US. At least 76% of the observed attacks were from the USA, then 6% from the UK and Russia.