This week, the NSA released an announcement saying, “Russian state- sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager2 products, allowing the actors access to protected data and abusing federated authentication.” This vulnerability is tracked as CVE-2020-4006 (7.2 CVSS score) which was issued on 23 November 2020 but updated recently with VMWare’s patch release on 3 December 2020.
The issue can be tracked as VMWare’s advisory VMSA-2020-0027.2. The advisory lists the impacted products as: VMware Workspace One Access (Access), VMware Workspace One Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
Exploitation is via command injection which leads to installation of a web shell allowing further malicious activity. The exploitation however, requires both password knowledge and access. Strong passwords and having the web-based management interface inaccessible from the internet mitigate the issue. Although patching is the recommended solution, workarounds such as disabling the configurator service can put a temporary fix in place until patching can be accomplished.
The release notes that detection methods are unlikely to identify this exploit since the compromise activity occurs exclusively inside a TLS tunnel for the web -interface. Indicators in systems logs can suggest a compromise may have occurred, such an indicator can look like an exit statement followed by a 3-digit number like “exit 123”.
The VMWare advisory also provided direct reference to their knowledge base in a matrix addressing all the impacted products, patches, versions, workarounds, etc.
This article has highlighted two things that will likely never change. First, you need to stay patched and current it’s the best way to be proactive and prevent a compromise in any system. Second, the human factor will always be vulnerable – be it spear-fishing or brute force attacks on weak user passwords. Do everything you can to educate and when that fails, clean and disable bad links and enforce policy that deters users from making bad choices. You’ve read these countless times before here… but we can’t tell you anymore. Go do it.