The Department of Homeland Security (DHS) has ordered Federal Civilian Executive Branch (FCEB) agencies to quickly patch or remove VMware products from their networks due to ongoing attacks.
A warning to patch bug
The DHS' Cybersecurity and Infrastructure Security Agency (CISA) stated that it expects some threat actors to develop a capability to exploit these vulnerabilities soon, leading to a high risk of cybersecurity incidents.
These VMware bugs are not yet exploited in the wild. However, attackers have been observed exploiting similar bugs within 48 hours of the release of a patch, by reverse-engineering the update to deploy backdoors and coinminers.
The impacted products include VMware Workspace ONE Access, Identity Manager (vIDM), vRealize Automation (vRA), Cloud Foundation, and the vRealize Suite Lifecycle Manager.
An exploit is released
A Proof-of-Concept (PoC) exploit code has been issued by Horizon3 security researchers for the critical authentication bypass vulnerability (CVE-2022-22972).
The PoC can be used to bypass authentication on vRealize Automation 7.6 using the flaw and gaining admin privileges.
According to the researchers, this bug is a simple 'Host' header manipulation vulnerability, and hackers would not take much time in developing an exploit for this.
VMware has already released security updates to fix the vulnerability. Further, the firm claims that the security flaws should be patched or fixed quickly.
Conclusion
The CISA and security researchers claim that attackers can quickly develop exploits for these newly released vulnerabilities. Moreover, the exploitation of these vulnerabilities may lead to serious consequences for organizations. Thus, it is highly recommended to implement a robust patch management system to timely update software with the latest patches.