1. Axonius Customer Portal
  2. Community
  3. Vulnerability Management

Using Axonius to discover vulnerabilities in CISA Emergency Directive for VMware

Avatar
Dustin White

Earlier this week, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive, ED 22-03, to Federal agencies to review several VMware products, and to either update or remove affected hosts from their network environments by May 23.

https://www.cisa.gov/emergency-directive-22-03

The following four (4) vulnerabilities have been identified as capable of permitting attackers to execute remote code on systems without authentication or elevated privileges:

CVE 2022-22954

CVE 2022-22960

CVE-2022-22972

CVE-2022-22973 

The following VMware products are potentially impacted by these vulnerabilities:

VMware Workspace ONE Access (Access)

VMware Identity Manager (vIDM)

VMware vRealize Automation (vRA)

VMware Cloud Foundation

vRealize Suite Lifecycle Manager

Using Axonius, you can quickly look for these CVE’s by leveraging the Query Wizard and searching for ‘Vulnerable Software: CVE ID’ with the following regex string:

CVE 2022-22954|CVE 2022-22960|CVE-2022-22972|CVE-2022-22973 

You can also copy and paste the Axonius Query Language into the Search bar on the Devices page:

("specific_data.data.software_cves.cve_id" == regex("CVE-2022-22954|CVE-2022-22960|CVE-2022-22972|CVE-2022-22973", "i"))

After saving the query, a field segmentation chart will assist with giving us specific counts of vulnerable systems relative to each CVE:

(example below does not reflect CVE’s listed in the directive – sample only)

Clicking on one of the CVE bar graph values will pivot us to the devices page where we can drill into individual devices and navigate to the ‘Aggregated’ tab  ‘Vulnerable Software’, and search for the specific software name and version.

(example below does not reflect CVE’s listed in the directive – sample only)

Keep in mind, the CVEs for these vulnerabilities are for the console systems of VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager; therefore, will not be found on any other device. Searching just for CVE 2022-22954, CVE 2022-22960, CVE-2022-22972, CVE-2022-22973 will work if it a vulnerability scan is being performed and Axonius is fetching the scanned data.

If an authenticated scan is successful, you can reference the below site to limit the search query within Axonius to target the specific subsystems and versions that are affected to narrow down the scope of results.

https://www.vmware.com/security/advisories/VMSA-2022-0014.html

Please contact your Technical Account Manager or reach out to support.axonius.com with additional questions.

1

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post