DHS orders federal agencies to patch VMware bugs within 5 days

The Department of Homeland Security's cybersecurity unit ordered Federal Civilian Executive Branch (FCEB) agencies today to urgently update or remove VMware products from their networks by Monday due to an increased risk of attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) issued the Emergency Directive 22-03 on Wednesday after VMware patched two new vulnerabilities (CVE-2022-22972 and CVE-2022-22973) today, an auth bypass and a local privilege escalation affecting multiple products.

In April, VMware patched another set of critical vulnerabilities, a remote code execution bug (CVE-2022-22954) and a 'root' privilege escalation (CVE-2022-229600) in VMware Workspace ONE Access and VMware Identity Manager.

While today's VMware bugs are not yet exploited in the wild, attackers started exploiting the ones fixed in April within 48 hours after reverse-engineering the update to deploy coinminers and install backdoors.

The complete list of VMware products impacted by these four security bugs includes:

• VMware Workspace ONE Access (Access)
• VMware Identity Manager (vIDM)
• VMware vRealize Automation (vRA)
• VMware Cloud Foundation
• vRealize Suite Lifecycle Manager

VMware said about all four security flaws that they "should be patched or mitigated immediately," adding that their ramifications "are serious."

Agencies ordered to patch or disconnect until Monday

CISA determined that all these security flaws pose an unacceptable risk to federal agencies and has ordered them to take emergency action to patch them against CVE-2022-22972 and CVE-2022-22973 within 5 days, by May 23.

"This determination is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems," the cybersecurity agency said.

"CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products."

According to the new emergency directive, all federal civilian agencies have to take the following actions by 5 PM EDT on Monday (May 23, 2022):

1. Find all impacted VMware products on their networks and deploy updates or remove them from the network until they can be patched.
2. Assume compromise for all Internet-exposed impacted VMware products, conduct threat hunt activities, and report any anomalies to CISA.

By 12 PM EDT on Tuesday (May 24, 2022), all agencies should report the status of all VMware instances found on their networks using Cyberscope.

"This Emergency Directive remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Directive or the Directive is terminated through other appropriate action," CISA added.