Emergency Directive 22-03 Mitigate VMware Vulnerabilities


May 18, 2022

This page contains a web-friendly version of the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 22-03, “Mitigate VMware Vulnerabilities."

Section 3553(h) of title 44, U.S. Code, authorizes the Secretary of Homeland Security, in response to a known or reasonably suspected information security threat, vulnerability, or incident that represents a substantial threat to the information security of an agency, to “issue an emergency directive to the head of an agency to take any lawful action with respect to the operation of the information system, including such systems used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information, for the purpose of protecting the information system from, or mitigating, an information security threat.” 44 U.S.C. § 3553(h)(1)–(2). Section 2205(3) of the Homeland Security Act of 2002, as amended, delegates this authority to the Director of the Cybersecurity and Infrastructure Security Agency. 6 U.S.C. § 655(3). Federal agencies are required to comply with these directives. 44 U.S.C. § 3554 (a)(1)(B)(v). These directives do not apply to statutorily defined “national security systems” nor to systems operated by the Department of Defense or the Intelligence Community. 44 U.S.C. § 3553(d), (e)(2), (e)(3), (h)(1)(B).

Background

Threat actors, including likely advanced persistent threat (APT) actors, are exploiting vulnerabilities (CVE 2022-22954 and CVE 2022-22960) in the following VMware products: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. VMware released an update to address these vulnerabilities on April 6, 2022, and threat actors were able to reverse engineer the update and begin exploitation of impacted VMware products that remained unpatched within 48 hours of the update’s release.

On May 18, 2022, VMware released an update for two new vulnerabilities (CVE-2022-22972 and CVE-2022-22973). Based on the above, CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products. Exploiting the above vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to 'root' (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972).

CISA has determined that these vulnerabilities pose an unacceptable risk to Federal Civilian Executive Branch (FCEB) agencies and require emergency action. This determination is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.

Note that requirements from CISA’s Binding Operational Directives 22-01 and 19-02 remain in effect. CVE 2022-22954 and CVE 2022-22960 were added to CISA’s catalog of known exploited vulnerabilities (KEVs) on April 14 and April 15, 2022 respectively. CISA will continue to monitor for exploitation and will add KEVs to the BOD 22-01 catalog as they meet the thresholds defined here https://www.cisa.gov/known-exploited-vulnerabilities

Required Actions

All Federal Civilian Executive Branch agencies must complete the following actions:

By 5:00 PM EDT on Monday, May 23, 2022:

  1. Enumerate all instances of impacted VMware products [VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager] on agency networks.
     
  2. For all instances of impacted VMware products enumerated in the required action (1) above:
     
    1. Deploy updates per VMware Security Advisory VMSA-2022-0014 available here https://www.vmware.com/security/advisories/VMSA-2022-0014.html.

      OR
       
    2. Remove from the agency network until update can be applied.

Where updates are not available due to products being unsupported by the vendor (e.g., end of service, end of life), unsupported products must be immediately removed from agency networks.

  1. Additionally, for all instances of impacted VMware products that are accessible from the internet:
    1. Assume compromise, immediately disconnect from the production network, and conduct threat hunt activities as outlined in CISA CSA available here: www.cisa.gov/uscert/ncas/alerts/aa22-138b
       
    2. Immediately report to CISA at central@cisa.dhs.gov any anomalies identified in step 3a.

Agencies may reconnect these products to their networks only after threat hunt activities are complete with no anomalies detected and updates are applied.

By 12:00 PM EDT on Tuesday, May 24, 2022:

  1. Report status of all instances enumerated in Required Action 1 into Cyberscope using this template.

These required actions apply to agency assets in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

For federal information systems hosted in third-party environments each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP Authorized or otherwise) and obtaining status updates pertaining to, and to ensure compliance with, this Directive. Agencies should work through the FedRAMP program office to obtain these updates for FedRAMP Authorized cloud service providers and work directly with service providers that are not FedRAMP Authorized.

All other provisions specified in this Directive remain applicable.

CISA Actions

  1. CISA will continue to work with our partners to monitor for active exploitation associated with these vulnerabilities and will notify agencies and provide additional guidance, as appropriate.
     
  2. CISA will provide technical assistance to agencies who are without internal capabilities sufficient to comply with this Directive.
     
  3. By June 30, 2022, CISA will provide a report to the Secretary of Homeland Security, the National Cyber Director, the Director of the Office of Management and Budget, and the Federal Chief Information Security Officer identifying cross-agency status and outstanding issues.
     

Duration

This Emergency Directive remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Directive or the Directive is terminated through other appropriate action.

Additional Information

Visit https://cisa.gov/directives/ or contact the following for:

Was this webpage helpful?  Yes  |  Somewhat  |  No