VMware has released security updates to address a zero-day vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.
The vulnerability is a command injection bug tracked as CVE-2020-4006 and publicly disclosed two weeks ago.
While it did not issue any security updates at the time it disclosed the zero-day, VMware provided a workaround to help admins mitigate the bug on affected devices.
If successfully exploited, the vulnerability enables attackers to escalate privileges and execute commands on the host Linux and Windows operating systems.
The full list of VMware product versions affected by the zero-day includes:
- VMware Workspace One Access 20.01, 20.10 (Linux)
- VMware Identity Manager (vIDM) 3.3.1 up to 3.3.3 (Linux)
- VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2 (Linux)
- VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3 / 19.03.0.0, 19.03.0.1 (Windows)
Zero-day reported by the NSA
While initially, the company didn’t disclose the identity of the organization or researcher who reported the vulnerability, VMware acknowledged the US Defense Department’s intelligence agency contribution in an update to the security advisory made on Thursday.
VMware also lowered the bug’s CVSSv3 base score to 7.2/10 and the maximum severity rating from ‘Critical’ to ‘Important.’
CVE-2020-4006 exists in the administrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” the advisory explains.
“This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”
Threat actors can obtain the password needed to exploit the vulnerability using techniques documented in the MITRE ATT&CK database.
Security updates available
VMware released security updates that fully mitigate the vulnerability on devices running one of the affected products.
Information on patch deployment steps, expected changes, and how to confirm that the patch has been applied are available within the patch files.
Links to download security updates for CVE-2020-4006 are available in the table embedded below.
|VMware Workspace ONE Access||20.10|
|VMware Workspace ONE Access||20.01|
|VMware Identity Manager||19.03|
|VMware Identity Manager||19.03.0.1|
|VMware Identity Manager||3.3.3|
|VMware Identity Manager||3.3.2|
|VMware Identity Manager||3.3.1|
DHS-CISA encouraged admins and users on Thursday to apply the patch issued by VMware to thwart attackers’ attempts to take over vulnerable systems.
Admins who can’t immediately download and deploy the patch can still use the temporary workaround that fully removes the attack vector on impacted systems and prevents CVE-2020-4006 exploitation.
Details on how to implement and revert the workaround on Linux-based appliances and Windows-based servers are available HERE.
However, once the workaround is applied, “configurator-managed setting changes will not be possible” as VMware explains.