Hackers Exploiting VMWare

This week,
the NSA released an announcement saying, “Russian state- sponsored malicious
cyber actors are exploiting a vulnerability in VMware Access and VMware
Identity Manager2 products, allowing the actors access to protected data and
abusing federated authentication.” This vulnerability is tracked as
CVE-2020-4006 (7.2 CVSS score) which was issued on 23 November 2020 but updated
recently with VMWare’s patch release on 3 December 2020.

The issue can be
tracked as VMWare’s advisory VMSA-2020-0027.2. The advisory lists the
impacted products as: VMware Workspace One Access (Access), VMware Workspace
One Access Connector (Access Connector), VMware Identity Manager (vIDM),
VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation,
and vRealize Suite Lifecycle Manager.

Exploitation is
via command injection which leads to installation of a web shell allowing
further malicious activity. The exploitation however, requires both password
knowledge and access. Strong passwords and having the web-based management
interface inaccessible from the internet mitigate the issue. Although
patching is the recommended solution, workarounds such as disabling the
configurator service can put a temporary fix in place until patching can be
accomplished.

The release notes that detection
methods are unlikely to identify this exploit since the compromise activity
occurs exclusively inside a TLS tunnel for the web -interface. Indicators in
systems logs can suggest a compromise may have occurred, such an
indicator can look like an exit statement followed by a 3-digit number like
“exit 123”.

The VMWare advisory also provided direct reference to their
knowledge base in a matrix addressing all the impacted products, patches,
versions, workarounds, etc.

This article has
highlighted two things that will likely never change. First, you need to stay
patched and current it’s the best way to be proactive and prevent a compromise
in any system. Second, the human factor will always be vulnerable – be it
spear-fishing or brute force attacks on weak user passwords. Do everything
you can to educate and when that fails, clean and disable bad links and enforce
policy that deters users from making bad choices. You’ve read these countless times before here… but
we can’t tell you anymore. Go do it.

Sources:

CSA_VMWARE ACCESS_U_OO_195076_20.PDF (defense.gov) 

VMSA-2020-0027.2 (vmware.com)

NSA Warns Russian Hacker Exploiting VMware Bug to Breach Corporate Networks (thehackernews.com)