VMware Products Under Active Attack Through a Critical Zero-Day Vulnerability
VMware has released security updates to fix a critical vulnerability that is being exploited in the wild. According to the advisory, CVE-2020-4006 is a command injection bug, and attackers can take control of the system once exploited. This fix supersedes an initial workaround released by VMware in ...
VMware has released security updates to fix a critical vulnerability that is being exploited in the wild. According to the advisory, CVE-2020-4006 is a command injection bug, and attackers can take control of the system once exploited. This fix supersedes an initial workaround released by VMware in late November, a temporary fix while the company releases a permanent fix for the bug. Affected products include VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector running on either Windows or Linux platforms.
CVE-2020-4006 Details
According to advisory VMSA-2020-0027.2.
““A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system””
Although an attacker must have credentials beforehand to execute commands, which can be obtained by other methods such as brute-force, due to the above reasons, VMware updated the CVSS 3.x severity rating for this CVE from “critical” to “important” since the password itself is needed to proceed.
NSA released a security bulletin which states:
““The exploitation via command injection led to the installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data.””
NSA also stressed the importance of properly configured servers that runs authentications for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources. SAML stands for Security Assertion Markup Language, an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).
Affected Softwares and OS
Affected products according to VMware advisory VMSA-2020-0027.2
- VMware Workspace One Access 20.01, 20.10 (Linux)
- VMware Identity Manager 3.3.3, 3.3.2, 3.3.1 (Linux)
- VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)
- VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)
- VMware Cloud Foundation 4.x (Linux and Windows)
- vRealize Suite Lifecycle Manager 8.x (Linux and Windows)
Solution
VMware has already released a patch to fix this critical vulnerability in the wake of exploitations in the wild. VMware has advised updating your affected systems to the latest version as soon as possible. SanerNow software deployment capability can be used to install executables/scripts.
