CISA has issued Common Vulnerabilities and Exposures alerts for several VMware products, noting that threat actors are likely to quickly exploit these vulnerabilities. Organizations of all sizes should follow the federal government’s lead, and take steps to safeguard their networks. Threat actors who exploit vulnerabilities in affected VMWare products are capable of:
- Triggering server-side template injections that result in remote code execution
- Escalating privileges to ‘root’ and obtain administrative access without the need to authenticate
Vulnerabilities that threat actors are likely to exploit are included in CVE 2022-22954 and CVE 2022-22960 and include the following VMware products:
- Workspace ONE Access (Access)
- VMWare Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
In order to mitigate these vulnerabilities, CISA states that all Federal Civilian Executive Branch Agencies (FCBED) complete these actions
- Enumerate all instances of impacted VMware products on agency networks
- In all instances of impacted VMware products, deploy updates or remote them from the network until they can be applied
- Disconnect all impacted VMWare products that are accessible from the internet
- Assume all are compromised
- Conduct threat hunt activities outlined by CISA
- Report any anomalies
If administrators discover system compromise, CISA recommends organizations take the following actions:
- Immediately isolate affected systems.
- Collect and review relevant logs, data, and artifacts.
- Consider soliciting support from a third-party incident response organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
- Report incidents to CISA via CISA’s 24/7 Operations Center (email or 888-282-0870)
SecuLore™ OverWatch provides 24/7/365 network monitoring through our patented Paladin™ technology to detect vulnerabilities in your network and detect anomalous behavior. The technology passively captures all traffic on your network to identify threats that are often missed by other layers of security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
The FCC recommends all organizations have a vulnerability risk assessment completed every 90 days. SecuLore’s™ CyberBenchmark fulfills policy requirements and helps you understand where your network is vulnerable, as well as providing actionable remediation recommendations to help protect your network.
SecuLore Support Team