The National Security Agency released a Cybersecurity Advisory concerning VMware products. According to the NSA’s Advisory, Russian state-sponsored actors have been exploiting a vulnerability in VMware software to access protected data on affected systems.
Affected products
The company released a patch for the Command Injection Vulnerability captured in CVE-2020-4006 on December 3rd. NSA also announced that to be able to exploit the vulnerability, password-based access to the web-based management interface of the device is required. Thus, using stronger and unique passwords lowers the risk. The risk is also lowered if the interface is not accessible from the Internet.
- VMware Workspace ONE Access (Access) 20.01 and 20.10on Linux
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM) 3.3.1, 3.3.2, and 3.3.3on Linux
- VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3, 19.03
- VMware Cloud Foundation 4.x
- vRealize Suite Lifecycle Manager 8.x
NSA also stated that the Agency encourages the National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to prioritize mitigation of the vulnerability on affected servers. NSA also published workarounds for the vulnerability in the advisory. In the advisory, NSA also noted,
“Since the server requires that passwords be intentionally chosen upon installation, there are no known default passwords. Setting the password to a strong unique password would make it more difficult to exploit, but would likely not mitigate an existing compromise.
It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAMLassertions could be forged, granting access to numerous resources. If integrating authentication servers with ADFS, NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication.”