VMware patches 0-day vulnerability discovered by NSA

At the end of November, VMware announced a 0-day vulnerability CVE-2020-4006 in its products, which discovered NSA specialists.

Firstly, the company’s specialists talked about temporary ways to protect againts the bug, and at the end of last week they finally released fixes.

By the way, we talked about how VMWare EXSi was hacked during the Tianfu Cup hacker competition in China.

The issue affects endpoint and identity management solutions that are often used in corporate and government networks. So, the bug affected:

• VMware Workspace ONE Access Connector (Access Connector);
• VMware Workspace ONE Access (Access) 20.01 и 10 на Linux;
• VMware Identity Manager (vIDM) 3.3.1, 3.3.2, 3.3.3 на Linux;
• VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3, 19.03
• VMware Cloud Foundation 4.x;
• vRealize Suite Lifecycle Manager 8.x.

After the patches have been released, NSA experts have issued their own CVE-2020-4006 warning, urging government agencies to urgently deploy fixes due to ongoing attacks from Russian hackers.

Essentially, CVE-2020-4006 is a command injection vulnerability that allows attackers to execute arbitrary commands at the OS level. Moreover, the bug can be used only if the attacker has previously been authenticated in the WorkspaceONE control panel. If this happens, the vulnerability could be exploited to gain full control over any unsecured VMWare Workspace ONE system.

“There are already known cases of Russian government hackers obtaining credentials from the VMWare Workspace ONE dashboard and then using the latest bug in their attacks to move laterally within networks and escalate access”, – said representatives of the NSA.

The hackers reportedly installed a web shell on VMWare Workspace ONE and then generated SAML credentials for themselves. They then used those credentials to access and steal sensitive data from the Microsoft ADFS servers, belonging to the victim company’s.

The NSA does not disclose the names of the hack groups that are already exploiting the bug, but warns organizations not to take the issue light-headedly.

Let me also remind you that FBI and NSA discovered Drovorub malware, created by Russian Intelligence services.