Barracuda researchers have sounded the alarm that newly disclosed, critical vulnerabilities in several VMware products are a core focus for a tidal wave of cyber attacks. The vulnerabilities have been used to load botnets on target systems or install backdoors--oftentimes using recently disclosed flaws in Log4j. The primary VMware vulnerability being exploited is being tracked as CVE-2022-22954 [1]. Massive amounts of target probe attempts have been observed by Barracuda, many followed by exploit attempts.
Affected Products
CVE-2022-22954 is rated as a 9.8 out of 10 in criticality--making it what most organizations consider a critical flaw [2]. What follows are some descriptions of affected products.
VMware Workspace ONE Access and Identity Manager. Workspace ONE is a platform offered by VMware for delivering enterprise applications to any device to increase support for remote access. The VMware identity manager handles authentication to the aforementioned platform. If successfully exploited, attackers can use the vulnerability to perform remote code execution (RCE) via server-side template injection if the attackers have network access.
Server-side template injection issues can potentially be used by attackers to execute any shell command as the VMware user. This can give them free reign to commit a wide range of malicious actions.
Rapid Patching Needed
Cybercriminals and cybercrime organizations are increasing the speed with which they start scanning for newly disclosed vulnerabilities; this, in turn, is increasing the risk to target organizations and requires more rapid patching capabilities--which is difficult to implement without a well-developed security program. This vulnerability is particularly dangerous because VMware infrastructure is widely used in data center and cloud environments.
To make matters worse, attackers are sometimes including exploitation of a second vulnerability: CVE-2022-22960. This second issue is rated with a CVSS score of 7.8, and provides attackers with local privilege escalation (LPE) in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. The last of those three products is another commonly used VMware product providing a platform for structuring private clouds. Inappropriate permissions inside support scripts are the cause of the vulnerability. The associated VMware advisory states that the issue may allow attackers with local access to gain root privileges [3].
These issues were only disclosed in April, but a proof of concept exploit was quickly released on GitHub and spread through social media, leading to probing and exploit attempts a short time later.
As noted earlier, organizations seeking to protect themselves in light of the decreasing window of time between announcement and exploit attempts for third party software and technology products developed in-house should focus on streamlining configuration management processes. Webcheck Security expert consultants are an excellent resource if your organization wishes to avoid the pitfalls of trial and error, providing steady handed and efficient guidance for improving configuration management and building capabilities across your security program.
Sources: