Barracuda Networks, Inc., a leading provider of cloud-first security solutions, recently found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities while analyzing the attacks and payloads between April to May 2022.
On April 6, VMware published a security advisory that listed multiple security vulnerabilities. One of the most severe vulnerabilities in this advisory is a server-side template injection issue, CVE-2022-22954. This vulnerability allows an unauthenticated user with access to the web interface to execute any arbitrary shell command as the VMware user. The list of vulnerabilities also contained CVE-2022-22960, a local privilege escalation vulnerability in the affected products, which attackers could possibly chain.
VMware confirmed that exploitation of these vulnerabilities in the wild was already occurring. CVE-2022-22954 has a CVSS score of 9.8, and CVE-2022-22960 has a CVSS score of 7.8.
Barracuda researchers spotted probes and exploit attempts for this vulnerability soon after the release of the advisory and the initial release of the proof of concept on GitHub. The attacks have been consistent over time, barring a few spikes, and the vast majority of them are what would be classified as probes rather than actual exploit attempts.
The majority of the attacks originated from the U.S. geographically, with most of them coming from data centers and cloud providers. While the spikes are largely from these IP ranges, there were also consistent background attempts from known bad IPs in the UK and Russia. Barracuda Researchers explained that some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes.
Sharing their views on the attempts, Tushar Richabadas is Senior Product Marketing Manager, Applications and Cloud Security, Barracuda said, “The best way to protect the systems is to apply the patches immediately, especially if the system is internet-facing, and to place a Web application firewall (WAF) in front of such systems, which will provide in-depth defense against zero-day attacks and other vulnerabilities, including Log4Shell.”