Posted on April 16, 2022 at 8:40 AM
A recent threat intelligence report showed that there is an ongoing threat activity related to the VMware Workspace One vulnerability, which includes a crypto mining activity. The report revealed that the critical vulnerability is under active exploitation on the VMware’s Workspace.
The vulnerability, dubbed CVE-2022-22954, is a server-side template injection bug that has the capability of remote code execution. The security researchers noted that the bug affects Workspace One’s Access as well as part of its IT management suite. The vulnerability, alongside seven other vulnerabilities, was patched on April 6, with most of them known to be severe or critical vulnerabilities. However, users that have not applied the patch are still vulnerable. Additionally, workarounds are also available.
The Bug Can Allow An Attacker To Launch Remote Code Attacks
Cloud computing and virtualization technology firm VMWare stated that it has resolved the critical security flaw in the Cloud Director product. The vendor warned that if users do not apply the patch, it could be weaponized by threat actors to launch remote code execution attacks.
The vulnerability has been given a CVSS score of 9.1 out of a maximum of 10, which shows that the vulnerability is a very critical one. VMware said security researcher Jari Jääskelä discovered and reported the flaw before a patch was developed.
VMware Cloud Director is utilized by several popular cloud providers to operate and manage their cloud infrastructure. It is also used to gain visibility into data centers across geographies and sites. Once the vulnerability is exploited, it gives threat actors the ability to access sensitive data and possibly take control of the private clouds within an entire infrastructure.
The other seven vulnerabilities patched at the time include CVE-2022-22961, CVE-2022-22960, CVE-2022-22959, CVE-2022-22958, CVE-2022-22957, CVE-2022-22955, and CVE-2022-22956. VMware explained the complete details of the above vulnerabilities in its security advisory.
The CVE-2022-22954 bug Is Different From Other Critical Vulnerabilities
VMware also updated its advisory to reveal why the vulnerability is different from other critical bugs. According to VMware, the bug has already been exploited in the wild. In line with that, some researchers, earlier this week, published proofs of concept (POCs) of the exploit on Twitter. One of the POCs has enough details about the bug on GitHub.
Also, threat intelligence providers have discovered threat actor activity that was trying to exploit the vulnerability. These researchers include popular threat researcher Danial Card, GreyNoise Intelligence, and Bad Packets.
On the same day VMware confirmed the exploit, Card tweeted that crypto miners are also being deployed and ransomware should be expected soon.
VMware has also provided a workload for the CVE-2022-22954 bug. But the vendor stated that the vulnerabilities cannot be removed unless they are patched. The vendor says that’s the only way to remove them.
Workarounds May Not Remove The Vulnerability
VMware says although workarounds may look convenient as a solution, they do not remove the bugs. They may even lead to more problems that a patch cannot solve. That is the reason why a workaround is not advised in this situation and for this type of vulnerability.
While providing its recommendation, VMware stated that patching is always the most reliable and simplest method of resolving the issue permanently. The only problem here is the fact that users who fail to apply the patches will still be vulnerable to the flaw. However, when they apply the patch immediately, any threat action will no longer have a meaningful impact.
The Vulnerability Has Been Seen In The Wild
A VMware spokesperson stated that the vendor has updated its March 6 security advisory, confirming that the exploitation of the vulnerability has already occurred in the wild. At the time of the bug’s discovery, there was little information to suggest that it has been exploited. But after more research has been carried out about the CVE-2022-22954, the spokesperson said the vulnerability has been exploited. The spokesperson warned that the exploitation is ongoing, and suggested that users should apply the patch as soon as possible to avoid becoming a victim.
The spokesperson also reiterated that although a workaround has been provided in the advisory, the best way to stay safe is to apply the patch as soon as possible.
“VMware encourages customers to …. apply the latest product updates for their environment,” the spokesperson noted. The patches came within 24 hours after the exploits for another recently patched critical vulnerability.