Yesterday, ZDNet reported on an NSA security advisory urging organizations to update VMWare products due to a vulnerability currently being exploited by "Russian state-sponsored malicious cyber actors".
The vulnerability CVE02020-4006 impacts VMWare products often deployed in government and enterprise networks, allowing admins to manage VMs, their authenticated procedures, and installed software. The products are:
- VMware Workspace One Access (Access)
- VMware Workspace One Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
VMware reported on the vulnerabilities on November 23 and released official patches last Friday.
From the NSA Advisory:
"The products affected by this vulnerability are the VMware® Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector, with specific product versions also identified in the VMware® advisory. The exploitation of this vulnerability first requires that a malicious actor have access to the management interface of the device. This access can allow attackers to forge security assertion markup language (SAML) credentials to send seemingly authentic requests to gain access to protected data.
NSA strongly recommends that NSS, DoD, and DIB system administrators apply the vendor-issued patch as soon as possible. If a compromise is suspected, check server logs and authentication server configurations as well as applying the product update. In the event that an immediate patch is not possible, system administrators should apply mitigations detailed in the advisory to help reduce risk of exploitation/compromise/attack."
From VMWare:
"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system. This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006. Examples of how this password could be obtained by a malicious actor are documented in T1586 of the MITRE ATT&CK database."
Daniel Trauner, Director of Security at Axonius, shared his opinion on CVE-2020-4006:
"Although it’s not your typical 10/10 severity unauthenticated code execution bug, this is still a significant finding. The NSA advisory shows that it’s equally important to patch slightly lower severity authenticated bugs because of how quickly they let you escalate privileges and pivot.
Bugs that affect central infrastructure like this, even slightly lower severity bugs that require prerequisites for authentication, are attractive and useful to adversaries because these systems are the central aggregation point for a significant portion of infrastructure. This makes pivoting easy. This is much like the MobileIron MDM vulnerability that was being actively exploited recently in that it was extremely valuable to malicious actors as an initial compromise point because of the pervasiveness of MDM.
In addition to prioritizing, patching and updating assets with known critical vulnerabilities, organizations need to make sure they are gathering detailed information about their assets — particularly those central to core infrastructure— and continually validate every asset’s adherence to their overall security policy."
How To Find Machines Impacted by CVE-2020-4006 with Axonius
Here's a short video showing how Axonius customers can identify machines impacted by CVE-2020-4006 to prioritize patching: