CISA issues rare emergency directive as ‘critical’ cyber vulnerabilities emerge

source:  |  image:

Agencies have until Monday to mitigate vulnerabilities in five products from VMware that permit attackers to have deep access without the need to authenticate.

The Cybersecurity and Infrastructure Security Agency issued a new emergency directive today saying the vulnerabilities in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager put federal networks and systems at immediate risk.

“These vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly in a release. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization — large and small — to follow the federal government’s lead and take similar steps to safeguard their networks.”

CISA said VMware first discovered new vulnerabilities in April and released patches, but these are new ones that agencies need to mitigate immediately. CISA said the new cyber exposures are “a server-side template injection that may result in remote code execution; escalate privileges to ‘root;’ and obtain administrative access without the need to authenticate.”

VMware called the vulnerability “critical” in a posting on its website, giving it a score of 9.8 out of 10.

VMware issued patches for the new vulnerabilities today as well.

“When a security researcher finds a vulnerability it often draws the attention of other security researchers, who bring different perspectives and experience to the research. VMware recognizes that additional patches are inconvenient for IT staff, but we balance that concern with a commitment to transparency, keeping our customers informed and ahead of potential attacks,” the company wrote in a blog post.

CISA is asking agencies to report back to them by May 24 using the Cyberscope tool on the status of their patching efforts.

“These required actions apply to agency assets in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates or otherwise maintains agency information,” CISA wrote. “For federal information systems hosted in third-party environments each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP Authorized or otherwise) and obtaining status updates pertaining to, and to ensure compliance with, this directive. Agencies should work through the FedRAMP program office to obtain these updates for FedRAMP Authorized cloud service providers and work directly with service providers that are not FedRAMP Authorized.”

This is the 10th emergency directive CISA has issued since January 2019 and the second one this fiscal year. It released the first one in December for agencies to patch the Log4J vulnerability.

Over the last few months, CISA has tried to shift away from issuing emergency directives. Instead, it issued a binding operational directive in November requiring agencies to patch all known vulnerabilities for hardware and software on the CISA-managed catalog in 90 days or less for new exposures and six months for existing ones from 2017 to 2020.

In this latest emergency directive, however, CISA believed the vulnerability to agency systems was so dire that it requires immediate action.