The threats could impact a large number of companies, the agency says.
The U.S. Cybersecurity and Infrastructure Security Agency has issued alerts about five software vulnerabilities that likely affect a large number of organizations.
Four of the vulnerabilities were found in VMware Inc. products. The fifth vulnerability affects a load balancer from F5 Inc., a publicly traded provider of data center equipment and software.
According to the advisory, threat actors are likely to exploit CVE-2022-22972 and CVE-2022-22973 in several products including VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, much like they did in relation to CVE 2022-22954 and CVE 2022-22960 in April. CISA has urged organizations to take swift action to mitigate the risks associated with the vulnerabilities.
This week, VMware released an update for CVE-2022-22972 and CVE-2022-22973, which CISA said it expects threat actors to quickly exploit. The agency’s emergency directive says that “exploiting the vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to ‘root’ (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972).”
CISA also issued an alert that affects BIG-IP, a popular load balancer from F5 that organizations use to manage network traffic. Certain versions of the load balancer have been found to contain a vulnerability known as CVE-2022-1388. It “enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses,” according to the alert.
Recommendations for mitigation
F5 released a patch for the vulnerability on May 4. Since then, CISA says proof-of-concept code demonstrating how to use the vulnerability to launch cyberattacks has been publicly released. The agency warned that hackers have already begun targeting affected systems.
CISA also issued recommendations to the general public. “CISA strongly encourages all organizations to deploy updates provided in VMware Security Advisory VMSA-2022-0014 or remove those instances from networks. CISA also encourages organizations with affected VMware products that are accessible from the internet to assume compromise and initiate threat hunting activities using the detection methods provided in the CSA (Cybersecurity Alert).
CISA is encouraging organizations to take a number of additional steps to secure their BIG-IP deployments. CISA stated that organizations should, among others, ensure the load balancer’s management interface is not accessible from the internet.