Gorodenkoff - stock.adobe.com
Russian state hackers have been exploiting a vulnerability found in VMware products including virtual workspaces, according to a cybersecurity advisory issued today by the National Security Agency.
The VMware vulnerability, which was dubbed CVE-2020-4006 and rated 7.2 on the Common Vulnerability Scoring System (CVSS), was disclosed and patched last week. According to the NSA advisory, threat actors are using the vulnerability to access protected data and abuse federated authentication. Government agencies, including the National Security System (NSS), the Department of Defense (DoD), and Defense Industrial Base (DIB), are urged to apply vendor-provided patches as soon as possible.
The exploited vulnerability affects Windows and Linux operating systems with remote work products, including VMware Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector. According to the advisory, exploitation first requires that a malicious actor have access to the management interface of the device.
"This access can allow attackers to forge security assertion markup language (SAML) credentials to send seemingly authentic requests to gain access to protected data," the advisory said.
Because password-based access to the web-based management interface of the device is required to exploit the VMware vulnerability, the NSA said using a stronger password lowers the risk of exploitation. "This risk is lowered further if the web-based management interface is not accessible from the internet," the advisory said.
VMware first published a security advisory for the command injection vulnerability Dec. 3, with credit to the NSA for reporting it. "VMware has evaluated this issue to be of 'Important' severity, with a maximum CVSSv3 base score of 7.2," the advisory said. A patch was available.
In today's statement about the VMware vulnerability, the NSA advised government organizations to update affected systems to the latest version as soon as possible, according to VMware's instructions. A workaround is also available but provides only a temporary fix until the system is fully patched. While the alert emphasizes the importance for government agencies to patch and update, it does not mention enterprises.
"NSA does not publicly share details in victims of foreign malicious cyber activity," wrote Neal Ziring, cybersecurity technical director at the NSA, in an email to SearchSecurity. "Any organization that uses the effected products should take prompt action to apply the vendor-released patch."
VMware did not respond to a request for comment as of press time.
UPDATE 12/7: A VMware spokesperson sent SearchSecurity the following statement after the publication of this story: "VMware has responded to a new security issue related to the on-premises versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector, as identified in a Cybersecurity Advisory from the U.S. National Security Agency. With this vulnerability, a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system. The issue is described by CVE-2020-4006. As is our practice, upon notification of the issue, VMware has worked to assess this issue, and has provided the appropriate updates and patches to mitigate this issue.
"Ensuring customer security is our top priority. VMware strongly encourages all customers to please visit VMSA-2020-0027 as the centralized source of information for this issue. Customers should also sign-up on our Security-Announce mailing list to receive new and updated VMware Security Advisories. Additionally, as a matter of best practice, VMware encourages all customers to apply the latest product updates, security patches and mitigations made available for their specific environment and contact their 3rd party operating system vendor to determine additional appropriate actions."
The NSA alert is the latest warning about advanced persistent threat actors exploiting high-profile vulnerabilities that have been recently disclosed and patched. In October, the Cybersecurity and Infrastructure Security Agency released a statement saying hackers exploited a Netlogon flaw to attack government networks. Prior to the attack, patches had already been released for two of the flaws: Netlogon and a Fortinet VPN vulnerability. Netlogon was a critically rated flaw, rated the maximum CVSS severity of 10, and had already been exploited in the wild, yet it remained unpatched on many systems, leaving it open to threats.