VMware fixes zero-day vulnerability reported by the NSA – BleepingComputer

VMware has released security updatesto address a zero-day vulnerability inVMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.

The vulnerabilityis a command injection bug tracked asCVE-2020-4006 and publicly disclosed two weeks ago.

While it did not issue any security updates at the time it disclosed the zero-day, VMware provided a workaround to help admins mitigatethe bug on affected devices.

If successfully exploited, the vulnerabilityenables attackers to escalate privileges and execute commands on the host Linux and Windows operating systems.

The full list of VMware product versions affected by thezero-day includes:

While initially, the company didn't disclose the identity of the organization or researcher who reported the vulnerability, VMware acknowledged the US DefenseDepartment'sintelligence agency contribution in an update to the security advisory made on Thursday.

VMware also lowered the bug'sCVSSv3 base score to 7.2/10 and the maximum severity rating from 'Critical' to 'Important.'

CVE-2020-4006 exists intheadministrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.

"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," the advisory explains.

"This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006."

Threat actors can obtain the password needed to exploit the vulnerability using techniques documented in the MITRE ATT&CK database.

VMware released security updates that fully mitigate the vulnerability on devices running one of the affected products.

Information onpatch deployment steps, expected changes, and how to confirm that the patch has been applied are available within the patch files.

Links to download security updates forCVE-2020-4006 are available in the table embedded below.

DHS-CISAencouragedadmins and users on Thursday to apply the patchissued by VMware to thwart attackers' attempts to take over vulnerable systems.

Admins who can't immediately download and deploy the patch can still use the temporary workaroundthat fully removes the attack vector on impacted systems and prevents CVE-2020-4006 exploitation.

Details on how to implement and revert the workaroundonLinux-based appliances andWindows-based servers are available HERE.

However, once the workaround is applied, "configurator-managed setting changes will not be possible" asVMware explains.

More:
VMware fixes zero-day vulnerability reported by the NSA - BleepingComputer

Related Posts

Comments are closed.