CISA issues rare emergency directive as ‘critical’ cyber vulnerabilities emerge

Agencies have until Monday to mitigate vulnerabilities in five VMware products that allow attackers deep access without needing to authenticate.

The Cybersecurity and Infrastructure Security Agency today issued a new emergency directive stating that vulnerabilities in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manager put federal networks and systems at immediate risk.

“These vulnerabilities pose an unacceptable risk…

READ MORE

Agencies have until Monday to mitigate vulnerabilities in five VMware products that allow attackers deep access without needing to authenticate.

The Cybersecurity and Infrastructure Security Agency today issued a new emergency directive stating that vulnerabilities in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation and vRealize Suite Lifecycle Manager put federal networks and systems at immediate risk.

“These vulnerabilities pose an unacceptable security risk to the federal network,” CISA Director Jen Easterly said in a statement. “CISA issued this emergency directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge all organizations, large and small, to follow the lead of the federal government and take similar steps to protect their networks.

CISA said VMware first discovered new vulnerabilities in April and released patches, but these are new ones that agencies need to mitigate immediately. CISA said the new cyber exposures are “server-side model injection that can lead to remote code execution; elevate privileges to ‘root;’ and gain administrative access without needing to authenticate.

VMware called the vulnerability “critical” in a posting on its website, giving it a score of 9.8 out of 10.

VMware also released patches for the new vulnerabilities today.

“When a security researcher discovers a vulnerability, it often attracts the attention of other security researchers, who bring different perspectives and experiences to the research. VMware recognizes that additional patches are inconvenient for IT staff, but we balance this concern with a commitment to transparency, keeping our customers informed and ahead of potential attacks,” the company wrote in a blog post.

CISA is asking agencies to report to them by May 24 using the Cyberscope tool on the status of their remediation efforts.

“These required actions apply to agency assets in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits , disseminates or otherwise preserves agency information,” CISA wrote. “For Federal information systems hosted in third-party environments, each agency is responsible for maintaining an inventory of its information systems hosted in those environments (FedRAMP cleared or otherwise) and obtaining status updates pertaining to Agencies should go through the FedRAMP program office to obtain these updates for FedRAMP-accredited cloud service providers and work directly with non-FedRAMP-accredited service providers.

It’s the 10and emergency directive issued by the CISA since January 2019 and the second of this exercise. He released the first one in December for agencies to fix the Log4J vulnerability.

In recent months, CISA has attempted to move away from issuing emergency directives. Instead, it issued a binding operational directive in November requiring agencies to patch all known hardware and software vulnerabilities on the CISA-managed catalog in 90 days or less for new exhibits and six months for existing ones. from 2017 to 2020.

In this latest emergency directive, however, CISA determined that the vulnerability in agency systems was so severe that it required immediate action.