VMware fixes zero-day vulnerability reported by the NSA

Posted by & filed under Security Alerts.

VMware has released security updates to address a zero-day vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.

The vulnerability is a command injection bug tracked as CVE-2020-4006 and publicly disclosed two weeks ago.

While it did not issue any security updates at the time it disclosed the zero-day, VMware provided a workaround to help admins mitigate the bug on affected devices.

If successfully exploited, the vulnerability enables attackers to escalate privileges and execute commands on the host Linux and Windows operating systems.

The full list of VMware product versions affected by the zero-day includes:

  • VMware Workspace One Access 20.01, 20.10 (Linux)
  • VMware Identity Manager (vIDM) 3.3.1 up to 3.3.3 (Linux)
  • VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2 (Linux)
  • VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3 /, (Windows)

Zero-day reported by the NSA

While initially, the company didn’t disclose the identity of the organization or researcher who reported the vulnerability, VMware acknowledged the US Defense Department’s intelligence agency contribution in an update to the security advisory made on Thursday.

VMware also lowered the bug’s CVSSv3 base score to 7.2/10 and the maximum severity rating from ‘Critical’ to ‘Important.’

CVE-2020-4006 exists in the administrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” the advisory explains.

“This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”

Threat actors can obtain the password needed to exploit the vulnerability using techniques documented in the MITRE ATT&CK database.

Security updates available

VMware released security updates that fully mitigate the vulnerability on devices running one of the affected products.

Information on patch deployment steps, expected changes, and how to confirm that the patch has been applied are available within the patch files.

Links to download security updates for CVE-2020-4006 are available in the table embedded below.

Affected product Patch
VMware Workspace ONE Access 20.10
VMware Workspace ONE Access 20.01
VMware Identity Manager 19.03
VMware Identity Manager
VMware Identity Manager 3.3.3
VMware Identity Manager 3.3.2
VMware Identity Manager 3.3.1

DHS-CISA encouraged admins and users on Thursday to apply the patch issued by VMware to thwart attackers’ attempts to take over vulnerable systems.

Admins who can’t immediately download and deploy the patch can still use the temporary workaround that fully removes the attack vector on impacted systems and prevents CVE-2020-4006 exploitation.

Details on how to implement and revert the workaround on Linux-based appliances and Windows-based servers are available HERE.

However, once the workaround is applied, “configurator-managed setting changes will not be possible” as VMware explains.


The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.