VMware has issued patches to contain two security flaws[1]
impacting Workspace ONE Access, Identity Manager, and vRealize
Automation that could be exploited to backdoor enterprise
networks.
The first of the two flaws, tracked as CVE-2022-22972 (CVSS
score: 9.8), concerns an authentication bypass that could enable an
actor with network access to the UI to gain administrative access
without prior authentication.
CVE-2022-22973 (CVSS score: 7.8), the other bug, is a case of
local privilege escalation that could enable an attacker with local
access to elevate privileges to the “root” user on vulnerable
virtual appliances.
“It is extremely important that you quickly take steps to patch
or mitigate these issues in on-premises deployments,” VMware
said[2].
The disclosure follows a warning[3]
from the U.S. Cybersecurity and Infrastructure Agency (CISA) that
advanced persistent threat (APT) groups are exploiting
CVE-2022-22954 and CVE-2022-22960 — two other VMware flaws that
were fixed[4]
early last month[5]
— separately and in combination.
“An unauthenticated actor with network access to the web
interface leveraged CVE-2022-22954 to execute an arbitrary shell
command as a VMware user,” it said. “The actor then exploited
CVE-2022-22960 to escalate the user’s privileges to root. With root
access, the actor could wipe logs, escalate permissions, and move
laterally to other systems.”
On top of that, the cybersecurity authority noted that threat
actors have deployed post-exploitation tools such as the Dingo
J-spy web shell in at least three different organizations.
IT security company Barracuda Networks, in an independent report[6], said it has observed
consistent probing attempts in the wild for CVE-2022-22954 and
CVE-2022-22960 soon after the shortcomings became public knowledge
on April 6.
More than three-fourths of the attacker IPs, about 76%, are said
to have originated from the U.S., followed by the U.K. (6%), Russia
(6%), Australia (5%), India (2%), Denmark (1%), and France
(1%).
Some of the exploitation attempts recorded by the company
involve botnet operators, with the threat actors leveraging the
flaws to deploy variants of the Mirai[7]
distributed denial-of-service (DDoS) malware.
The issues have also prompted CISA to issue an emergency directive[8]
urging federal civilian executive branch (FCEB) agencies to apply
the updates by 5 p.m. EDT on May 23 or disconnect the devices from
their networks.
“CISA expects threat actors to quickly develop a capability to
exploit these newly released vulnerabilities in the same impacted
VMware products,” the agency said.
The patches arrive a little over a month after the company
rolled out an update to resolve a critical security flaw in its
Cloud Director product (CVE-2022-22966[9]) that could be
weaponized to launch remote code execution attacks.
CISA warns of active exploitation of F5 BIG-IP
CVE-2022-1388
It’s not just VMware that’s under fire. The agency has also
released a follow-up advisory with regards to the active
exploitation of CVE-2022-1388[10] (CVSS score: 9.8), a
recently disclosed remote code execution flaw affecting BIG-IP
devices.
CISA said[11] it expects to “see
widespread exploitation of unpatched F5 BIG-IP devices (mostly with
publicly exposed management ports or self IPs) in both government
and private sector networks.”
References
- ^
two
security flaws (www.vmware.com) - ^
said
(core.vmware.com) - ^
warning
(www.cisa.gov) - ^
fixed
(thehackernews.com) - ^
early
last month (thehackernews.com) - ^
independent report
(blog.barracuda.com) - ^
Mirai
(thehackernews.com) - ^
emergency directive
(www.cisa.gov) - ^
CVE-2022-22966
(thehackernews.com) - ^
CVE-2022-1388
(thehackernews.com) - ^
said
(www.cisa.gov)
Read more https://thehackernews.com/2022/05/vmware-releases-patches-for-new.html