DHS orders federal agencies to fix VMware bugs within 5 days


The Department of Homeland Security’s Cybersecurity Unit today ordered Federal Civilian Executive Branch (FCEB) agencies to urgently update or remove VMware products from their networks by Monday due to an increased risk of attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 22-03 on Wednesday after VMware patched two new vulnerabilities (CVE-2022-22972 and CVE-2022-22973) today, an authentication bypass and a local privilege escalation affecting multiple products.

In April, VMware patched another set of critical vulnerabilities, a remote code execution bug (CVE-2022-22954) and “root” privilege escalation (CVE-2022-229600) in VMware Workspace ONE Access and VMware Identity Manager.

While today’s VMware bugs are yet to be exploited in the wild, attackers began exploiting those patched in April within 48 hours of the update’s reverse engineering to deploy coinminers and install backdoors.

The full list of VMware products affected by these four security bugs includes:

  • Access to VMware Workspace ONE (access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

VMware said of the four security flaws that they “should be fixed or mitigated immediately,” adding that their ramifications “are serious.”

Agencies were ordered to patch or go offline until Monday

CISA has determined that all of these security vulnerabilities pose an unacceptable risk to federal agencies and has ordered them to take urgent action to fix them against CVE-2022-22972 and CVE-2022-22973 within 5 days. here on May 23.

“This determination is based on confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of affected software in federal enterprise and the high potential for compromise of agency information systems,” the cybersecurity agency said.

“CISA expects threat actors to quickly develop an ability to exploit these newly released vulnerabilities in the same affected VMware products.”

According to the new emergency directive, all FCEB agencies must take the following actions by 5:00 p.m. EDT on Monday, May 23, 2022:

  1. Find all affected VMware products on their networks and deploy updates or remove them from the network until they can be fixed.
  2. Assume that all impacted VMware products exposed to the Internet are compromised, conduct threat hunting activities and report any anomalies to CISA.

By 12:00 a.m. EDT on Tuesday, May 24, 2022, all agencies must report the status of all VMware instances found on their networks using Cyberscope.

“This emergency directive remains in effect until CISA determines that all agencies operating the affected software have taken all actions required by this directive or the directive is terminated by other appropriate action,” the statement added. CISA.


Comments are closed.