Security Advisory: Critical vulnerabilities in VMware

CVE(s) (if available): CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961, CVE-2022-22972, CVE-2022-22973

Security Advisory VmWareSummary
In early April VMware released patches for remote code execution and authentication bypass vulnerabilities against multiple VMWare products, including VMware Workspace ONE Access, VMWare identity Manager, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager. Per VMware’s advisories([0],[1]) adversaries with network access to these appliances could lead to exploitation. The Cybersecurity & Infrastructure Security Agency (CISA) has released an Alert stating that a “trusted third party” has identified this vulnerability as being exploited in the wild. Publicly available Proof-of-Concept exploits are appearing on Github generating an even greater sense of urgency to patch vulnerable versions.

Security Advisory: Critical Vulnerabilities in VMware from Lacework on Vimeo.

In The Wild – EnemyBot
Lacework Labs is actively monitoring their sensor network for opportunistic attackers leveraging the vulnerability and integrating appropriate IoCs within the Lacework product. At this time, Lacewok Labs has identified “Enemybot” targeting these CVEs as well as the recent remote code execution vulnerability within F5’s Big IP (CVE-2022-1388) line of products. Enemybot is the latest variant of Keksec’s DDOS malware and has been observed exploiting a host of other vulnerabilities including those for IoT devices.

For more details on Keksec, refer to Lacework Labs’ blogs and Github.

Known Affected Software

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

At the time of this writing, this is currently an evolving story and Lacework Labs will be closely monitoring the situation. Following security advisories from VMware ([2],[3]) and ensuring vulnerable hosts are monitored and patched

Supporting Articles

For more content like this follow us on Twitter and LinkedIn!