How To Download Vmware

[Florentina Holcombe]

Yes, from VSA proxies to vCenter and ESXi server 443 port for web services and TCP/IP with 902 to ESXi servers required. please refer to port requirements section in below system requirements in VMware BOL page.

How to configure your network for the Virtual Server Agent - YouTube though showing it as a required port, says that this is for VMWare NFC usage, which would hint that the requirement may be transport mode dependent.

Connecting to the Virtual Machine Console Through a Firewall (vmware.com) VMWare suggests a few use cases, some inbound / some outbound, generally around communication between guests, hosts and the vCenters and slightly different between vSphere versions.

Close Topics Topics Cybersecurity Best Practices Cyber Threats and Advisories Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events News Events Cybersecurity Alerts & Advisories Directives Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks HireVue Applicant Reasonable Accommodations Process Hiring Resume & Application Tips Students & Recent Graduates Veteran and Military Spouses Work @ CISA About About Culture Divisions & Offices Regions Leadership Doing Business with CISA Site Links Reporting Employee and Contractor Misconduct CISA GitHub CISA Central 2023 Year In Review Contact Us Free Cyber Services#protect2024Secure Our WorldShields UpReport A Cyber Issue

This Cybersecurity Advisory (CSA) has been updated with additional indicators of compromise (IOCs) and detection signatures, as well as tactics, techniques, and procedures (TTPs) from trusted third parties.

Note: based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied.

CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information about observed exploitation of CVE-2022-22954 and CVE-2022-22960 by multiple threat actors at multiple other large organizations from trusted third parties.

Threat actors have dropped post-exploitation tools, including the Dingo J-spy webshell, a publicly available webshell that includes command execution, a file manager, a database manager, and a port scanner. During incident response activities, CISA observed, on or around April 13, 2022, threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell. Around the same period, a trusted third party observed threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell at one other organization. According to the third party, the actors may have also dropped the Dingo J-spy webshell at a third organization. Note: analysis of the first compromise and associated malware is ongoing, and CISA will update information about this case as we learn more.

The following sections include additional information, including IOCs and TTPs, from trusted third parties about two confirmed compromises. See the appendix for TTPs in this CSA mapped to the MITRE ATT&CK for Enterprise framework.

The trusted third party assesses that multiple threat actors (referred to as Threat Actor 1 [TA1] and Threat Actor 2 [TA2]) gained access to a public-facing server running VMWare Workspace ONE Access. TA1 downloaded a malicious shell script, which they used to collect and exfiltrate sensitive data. TA2 interacted with the server (without automation or scripts) and installed multiple webshells and a reverse secure socket (SOCKS) proxy.

The GET request resulted in the server downloading the malicious shell script, 80b6ae2cea[.]sh, to VMware Workspace ONE Access directory /usr/local/horizon/scripts/. TA1 then chained CVE 2022-22960 to the initial exploit to run the shell script with root privileges ([T1068], [TA0004]). The script was executed with the SUDO command.

The malicious script then deleted evidence of compromise [TA0005] by modifying logs to their original state and deleting files [T1070]. TA1 deleted many files and logs, including fd86ald0.pem, localhost_access logs, logs associated with the VMWare Horizon application, and greenbox logs for the date of activity (April 12).

The trusted third party found two copies of the Dingo J-spy webshell (MD5 5b0bfda04a1e0d8dcb02556dc4e56e6a) in web directories: horizon_all.jsp was in the /opt/vmware/horizon/workspace/webapps/SAAS/horizon/portal/ web directory and jquery.jsp was in the /webapps/cas/static/ directory. The third party was unable to determine how and when the webshells were created. TA2 used POST requests to communicate with the Dingo J-spy webshells. The commands and output were encrypted with an XOR key [T1573.001].

On April 14, TA2 downloaded a reverse SOCKS proxy [T1090]. TA2 first sent a GET request with the CHMOD command to change the permissions of .tmp12865xax, a hidden file in the /tmp directory [T1222.002]. The actor then downloaded a binary (MD5 dc88c5fe715b5f706f9fb92547da948a) from [.]com/kost/revsocks/releases/download/v1.1.0/revsocks_linux_amd64. The binary is a reverse socks5 tunneling binary with TLS/SSL support and connects to [.]200.sslip.io.

The trusted third party observed additional threat actor activity that does not seem to be related to TA1 or TA2. On 13 April, IP address 172.94.89[.]112 attempted to connect a reverse shell on the compromised server to IP Address 100.14.239[.]83 on port 5410. The threat actor used the following command:

CISA received a related malicious Bash script for analysis from a trusted third party. The analyzed script, deployed on or around April 12, exploits CVE 2022-22960 and allows a Horizon user to escalate privileges and execute commands and scripts as a superuser (sudo). The Bash script also allows the user to collect network information and additional information.

The script overwrites the publishCaCert.hzn script on fd86ald0.pem file and executes commands that compress a list of files containing information such as network interface configuration, list of users, passwords, masterkeys, hosts, and domains to a TAR archive. The TAR archive, located in a VMWare Workspace ONE Access directory, /opt/vmware/horizon/workspace/webapps/SAAS/horizon/images/, is assigned read and write permissions to the Horizon web user and read to all users.

CISA recommends organizations update impacted VMware products to the latest version or remove impacted versions from organizational networks. CISA does not endorse alternative mitigation options. As noted in ED 22-03 Mitigate VMware Vulnerabilities, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. ED 22-03 directs all Federal Civilian Executive Branch agencies to enumerate all instances of impacted VMware products and deploy updates in VMware Security Advisory VMSA-2022-0014 or to remove the affected software from the agency network until the updates can be applied.

For VMware bundle versions, a collection of patches needed for the VMware host modules to build against recent kernels can be found from the vmware-host-modules GitHub repository. See the INSTALL document found on the repository for the most up-to-date module installation instructions for VMware Workstation versions from 12.5.5 and up.

By default, VMware writes a running guest system's RAM to a file on disk. If you are certain you have enough spare memory, you can ensure the guest OS writes its memory directly to the host's RAM by adding the following to the VM's .vmx:

VMware Paravirtual SCSI (PVSCSI) adapters are high-performance storage adapters for VMware ESXi that can result in greater throughput and lower CPU utilization. PVSCSI adapters are best suited for environments, where hardware or applications drive a very high amount of I/O throughput.

If these settings are not in the virtual machine's configuration, the paravirtual SCSI adapter can still be enabled. Ensure that the paravirtual SCSI adapter is included in the kernel image by modifying the mkinitcpio.conf:

VMware offers multiple network adapters for the guest OS. The default adapter used is usually the e1000 adapter, which emulates an Intel 82545EM Gigabit Ethernet NIC. This Intel adapter is generally compatible with the built-in drivers across most operating systems, including Arch.

Arch has the vmxnet3 kernel module available with a default install. Once enabled in mkinitcpio (or if it is auto-detected; check by running lsmod grep vmxnet3 to see if it is loaded), shut down and change the network adapter type in the .vmx file to the following:

VMware Workstation provides the possibility to remotely manage Shared VMs through the vmware-workstation-server service. However, this will fail with the error "incorrect username/password" due to incorrect PAM configuration of the vmware-authd service. To fix it, edit /etc/pam.d/vmware-authd like this:

If you just get back to the prompt when opening the .bundle, then you probably have a deprecated or broken version of the VMware installer and it should removed (you may also refer to the #Removal section of this article):