Organizations and government agencies are strongly advised to patch two newly disclosed vulnerabilities in VMware products, following warnings from VMware and the Cybersecurity and Infrastructure Security Agency.

Background

On May 18, VMware published an advisory (VMSA-2022-0014) to address two vulnerabilities across several VMware products:

Affected products include:

VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
vRealize Lifecycle Manager
VMware vRealize Automation (vRA)
VMware Cloud Foundation

This advisory follows a similar advisory from April (VMSA-2022-0011), where VMware patched multiple vulnerabilities across the same set of products.

Today, the Cybersecurity and Infrastructure Security Agency (CISA) published Emergency Directive 22-03 for all Federal Civilian Executive Branch (FCEB) agencies to address two flaws from VMSA-2022-0011 (CVE 2022-22954 and CVE 2022-22960) as well as the two flaws patched today based on the expectation that threat actors will “quickly develop a capability to exploit these newly released vulnerabilities.”

Additionally, CISA published an alert (AA22-138B) highlighting how threat actors are chaining these VMware vulnerabilities to gain “full system control.” The alert also includes indicators of compromise and detection methods for defenders and incident responders.

Analysis

CVE-2022-22972 is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users. In order to exploit this vulnerability, a remote attacker capable of accessing the respective user interface could bypass the authentication for these various products. It is the most severe of the two flaws patched today, as it was assigned a CVSSv3 score of 9.8. This vulnerability was credited to security researcher Bruno López of Innotec Security.

CVE-2022-22973 is a local privilege escalation vulnerability in the VMware Workspace ONE Access and Identity Manager. In order to exploit this vulnerability, an attacker would need to have local access to the vulnerable instances of Workspace ONE Access and Identity Manager. Successful exploitation would allow an attacker to gain “root” privileges.

Last month’s VMware bugs prompt cause for concern for today’s advisory

Within two days of VMware publishing its advisory for VMSA-2022-0011, researchers at GreyNoise began to observe exploitation attempts targeting CVE-2022-22954, a server-side template injection vulnerability:

We’re seeing ~10 IPs exploiting the VMWare Workspace ONE RCE (CVE-2022-22954) at-scale across the internet in @GreyNoiseIO. FW Blocks + Tags available to all users and customers now. https://t.co/uvRpXl7QYf

Insanely quick work by @kimb3r__, #Konstantin, @_mattata, @nathanqthai pic.twitter.com/XEQOmWKg6C

— Andrew Morris (afk) (@Andrew___Morris) April 13, 2022

In addition to CVE-2022-22954, VMware confirmed in the wild exploitation of CVE-2022-22960, a local privilege escalation vulnerability.

Considering the swiftness with which attackers began to exploit these two flaws from VMSA-2022-0011, the expectation is that attackers will be able to quickly develop a proof-of-concept (PoC) exploit for CVE-2022-22972 and begin scanning for vulnerable instances across the internet. This appears to be CISA’s expectation, prompting the agency to publish the Emergency Directive for FCEBs to quickly remediate these flaws.

Proof of concept

At the time this blog post was published, there were no public PoC exploits for either of the flaws addressed in VMware’s VMSA-2022-0014 advisory.

Solution

VMware released patches for the vulnerabilities in the following affected products:

VMware publishes second FAQ document for Workspace ONE flaws

For the second straight month, VMware has published a companion frequently asked questions (FAQ) document to provide additional clarification for the flaws addressed in VMSA-2022-0014. Once again, VMware underscores the importance of patching these flaws, stressing that the ramifications are “serious.”

Because VMware updates are cumulative, applying the fixes for VMSA-2022-0014 will also address the flaws in VMSA-2022-0011. VMware has provided a workaround for organizations that are not able to immediately patch, however applying the workaround would prevent admins from logging into the Workspace ONE Access console. VMware strongly recommends patching as it’s the “only way to remove the vulnerabilities from your environment.”

VMware notes that vSphere as well as the connectors for Workspace ONE Access and VMware Identity Manager are not affected.

Identifying affected systems

A list of Tenable plugins covering the CVEs outlined in this blog can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear.

Get more information

VMWare Advisory: VMSA-2022-0014
VMware VMSA-2022-0014 FAQ
Workaround instructions to address CVE-2022-22972

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Read More

Deepfence, a security observability and protection company, has launched Deepfence Cloud, a fully managed, cloud-native security SaaS observability system built on the company’s on-premises ThreatStryker software.

Deepfence Cloud, unveiled at the KubeCon + CloudNativeCon Europe 2022 event this week, is aimed at observing runtime indicators of attack (IOA), and indicators of compromise (IOC) and correlating events to provide real-time monitoring of attacks as well as mitigation and remediation capabilities. The software is generally available now.

To read this article in full, please click here

Read More

What is SAML and what is it used for?

The Security Assertion Markup Language (SAML) is an open standard that allows security credentials to be shared by multiple computers across a network. It describes a framework that allows one computer to perform some security functions on behalf of one or more other computers.

Strictly speaking, SAML refers to the XML variant language used to encode all this information, but the term can also cover various protocol messages and profiles that make up part of the standard. Because SAML is an open standard, it can coordinate security measure for different applications and systems from different vendors. As a result, many security vendors use SAML as the basis for their commercial offerings to ensure interoperability.

To read this article in full, please click here

Read More

Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for “deceptive statements” the company and its founder allegedly made over how they handle facial recognition data collected on behalf of the Internal Revenue Service, which until recently required anyone seeking a new IRS account online to provide a live video selfie to ID.me.

In a letter to FTC Chair Lina Khan, the Senators charge that ID.me’s CEO Blake Hall has offered conflicting statements about how his company uses the facial scan data it collects on behalf of the federal government and many states that use the ID proofing technology to screen applicants for unemployment insurance.

The lawmakers say that in public statements and blog posts, ID.me has frequently emphasized the difference between two types of facial recognition: One-to-one, and one-to-many. In the one-to-one approach, a live video selfie is compared to the image on a driver’s license, for example. One-to-many facial recognition involves comparing a face against a database of other faces to find any potential matches.

Americans have particular reason to be concerned about the difference between these two types of facial recognition, says the letter to the FTC, signed by Sens. Cory Booker (D-N.J.), Edward Markey (D-Mass.), Alex Padilla (D-Calif.), and Ron Wyden (D-Ore.):

“While one-to-one recognition involves a one-time comparison of two images in order to confirm an applicant’s identity, the use of one-to-many recognition means that millions of innocent people will have their photographs endlessly queried as part of a digital ‘line up.’ Not only does this violate individuals’ privacy, but the inevitable false matches associated with one-to-many recognition can result in applicants being wrongly denied desperately-needed services for weeks or even months as they try to get their case reviewed.”

“This risk is especially acute for people of color: NIST’s Facial Recognition Vendor Test found that many facial recognition algorithms have rates of false matches that are as much as 100 times higher for individuals from countries in West Africa, East Africa and East Asia than for individuals from Eastern European countries. This means Black and Asian Americans could be disproportionately likely to be denied benefits due to a false match in a one-to-many facial recognition system.”

The lawmakers say that throughout the latter half of 2021, ID.me published statements and blog posts stating it did not use one-to-many facial recognition and that the approach was “problematic” and “tied to surveillance operations.” But several days after a Jan. 16, 2022 post here about the IRS’s new facial ID requirement went viral and prompted a public backlash, Hall acknowledged in a LinkedIn posting that ID.me does use one-to-many facial recognition.

“Within days, the company edited the numerous blog posts and white papers on its website that previously stated the company did not use one-to-many to reflect the truth,” the letter alleges. “According to media reports, the company’s decision to correct its prior misleading statements came after mounting internal pressure from its employees.”

Cyberscoop’s Tonya Riley published excerpts from internal ID.me employee Slack messages wherein some expressed dread and unease with the company’s equivocation on its use of one-to-many facial recognition.

In February, the IRS announced it would no longer require facial scans or other biometric data from taxpayers seeking to create an account at the agency’s website. The agency also pledged that any biometric data shared with ID.me would be permanently deleted.

But the IRS still requires new account applicants to sign up with either ID.me or Login.gov, a single sign-on solution already used to access 200 websites run by 28 federal agencies. It also still offers the option of providing a live selfie for verification purposes, although the IRS says this data will be deleted automatically.

Asked to respond to concerns raised in the letter from Senate lawmakers, ID.me instead touted its successes in stopping fraud.

“Five state workforce agencies have publicly credited ID.me with helping to prevent $238 billion dollars in fraud,” the statement reads. “Conditions were so bad during the pandemic that the deputy assistant director of the FBI called the fraud ‘an economic attack on the United States.’ ID.me played a critical role in stopping that attack in more than 20 states where the service was rapidly adopted for its equally important ability to increase equity and verify individuals left behind by traditional options. We look forward to cooperating with all relevant government bodies to clear up any misunderstandings.”

As Cyberscoop reported on Apr. 14, the House Oversight and Reform Committee last month began an investigation into ID.me’s practices, with committee chairwoman Carolyn Maloney (D-N.Y.) saying the committee’s questions to the company would help shape policy on how the government wields facial recognition technology.

A copy of the letter the senators sent to the FTC is here (PDF).

Read More

Pharmacy retailer Dis-Chem announced that an unauthorized party gained access to its customer database

Read More