The Cybersecurity and Infrastructure Security Agency issued a new emergency directive Wednesday, May 18, 2022, saying the vulnerabilities in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager put federal networks and systems at immediate risk. https://federalnewsnetwork.com/cybersecurity/2022/05/cisa-issues-rare-emergency-directive-as-critical-cyber-vulnerabilities-emerge/
On Wednesday, May 18th, VMware disclosed multiple security flaws in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. These newly discovered vulnerabilities in VMware products put customers at serious risk.
At CloudCover, we explain what VMware announced, what it means and how our CloudCover CC/B1 Platform™ kept (customer’s) networks safe against real time ‘never-before-seen’ attacks including future vulnerabilities such as VMware’s security announcement.
What threat does the VMware vulnerability pose?
The vulnerabilities are being tracked as CVE-2022-22972 and CVE-2022-22973, which are respectively an authentication bypass with a severity score of 9.8 out of 10, and a local privilege escalation vulnerability with a score of 7.8. The CVE-2022-22972 could allow a malicious actor with network access to the VMware UI to obtain administrative access without the need to authenticate. CVE-2022-22973 could allow a malicious actor with local access to escalate privileges to ‘root’.
Security firm Rapid7 observed active exploitation in the wild on April 12, 2022, six days after VMware issued patches. Soon after, several public proof-of-concept exploits were being used to install coin miners on vulnerable systems. (Tung, 2022). While VMWare has already released patches, and customers should patch as quickly as possible (patch information found here: https://www.vmware.com/security/advisories/VMSA-2022-0014.html), it’s important to note that CloudCover CC/B1 customers are fully protected.
The hype around VMware vulnerabilities is serious for two reasons:
- The VMware blog: “When a security researcher finds a vulnerability it often draws the attention of other security researchers, who bring different perspectives and experience to the research. VMware recognizes that additional patches are inconvenient for IT staff, but we balance that concern with a commitment to transparency, keeping our customers informed and ahead of potential attacks,” the company wrote in a blog post.
- Are there any downsides to using workaround? The workaround will make admins unable to log into the Workspace ONE Access console using the local admin account, which may impact your organization’s operations. The only way to remove the vulnerabilities from your environment is to apply the patches provided in VMSA-2022-0014. Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not. While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this type of issue.
For these reasons, the initial VMware vulnerability and attacks are just the beginning. Please follow the extended support process to request patches and other information.
How does CloudCover’s CC/B1 protect against VMWare’s newly announced vulnerabilities?
CloudCover possess real time signature(s) for this specific attack vector since it’s discovery on April 12-13, 2022, and variant signatures against similar attack vectors for the past several years. Utilizing our advance AI-based (automated intelligence) and ML (machine learning) detection algorithms, CloudCover’s CC/B1 detected this non-authenticated vulnerability [attack] both with our current signature base and our real time risk analytic AWARE engine in subseconds of it’s nature.
This one-two punch of risk aware and risk control translates into our customers being fully protected (to) know whether they’ve been affected by the VMware vulnerabilities. Since the CC/B1 has already neutralized the CVE-2022-22972 and CVE-2022-22973 threat(s), our CC/B1 customers no longer have to experience the security “threat hunt”.
What’s the best way to protect against VMWare’s newly announced vulnerabilities?
First, the good news. VMware’s vulnerability is being remediated, with patch management software for companies using the affected platforms and programs. The vulnerability itself doesn’t migrate or mutate, so it won’t actually evolve. Yet, if it could morph, we would be able to recognize its (yet unknown) signature, attempting to cause damage, and instantaneously neutralize it in near real time.
What’s the best way to protect against the VMware vulnerability? Making the shift to the new era of CyberSafety — being real-time aware of your network security threats before the attack happens, stopping those attacks with CC/B1’s deep inspection immediately and transferring the risk of those attacks through real-time cybersecurity network insurance.
Our CC/B1 Platform can assist with your CyberSafety shift. Request a demo today by heading to cloudcover.cc/request-a-demo or sending an email to [email protected].
References:
Tung, Liam (May 19, 2022). “Patch these vulnerable VMware products or remove them from your network, CISA warns federal agencies.” ZDNet. https://www.zdnet.com/article/patch-these-vulnerable-vmware-products-or-remove-them-from-your-network-cisa-warns-federal-agencies/
Jason Miller (May 18, 2022 4:11 pm) “CISA issues rare emergency directive as ‘critical’ cyber vulnerabilities emerge.” https://federalnewsnetwork.com/cybersecurity/2022/05/cisa-issues-rare-emergency-directive-as-critical-cyber-vulnerabilities-emerge/