The US National Security Agency (NSA) has issued a cybersecurity alert, warning of Russian state-sponsored hackers who are taking advantage of VMware identity management software.
Reportedly, attackers are exploiting a vulnerability tracked as CVE-2020-4006, which affects VMware endpoint and identity managing products. These products are used in both enterprise and government networks.
A list of affected products:
- VMware Workspace ONE Access (Access) 20.01 and 20.10on Linux
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM) 3.3.1, 3.3.2, and 3.3.3on Linux
- VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3, 19.03
- VMware Cloud Foundation 4.x
- vRealize Suite Lifecycle Manager 8.x
On November 23, VMware warned its customers of a potential security risk in their software. Eleven days later, on December 4, the company managed to release security patches.
Additionally, both VMware and NSA published risk mitigation tips and workarounds to prevent attacks.
What is CVE-2020-4006
Researchers describe CVE-2020-4006 as a “command injection” vulnerability that allows attackers to execute OS-level commands on already compromised systems.
In other words, for this vulnerability to be successfully exploited, the attackers must have authentic credentials for Workspace ONE dashboard.
The targeted Workspace ONE utility is a web-based dashboard, used by system administrators to manage settings on virtualized workstations. In most cases, it is available only on internal networks. However, to cater to all administrators’ needs, the dashboard can also be hosted over the internet, allowing authorized admins to access workstations from other networks.
If attackers have login credentials, they can access the target networks and exploit the CVE-2020-4006 vulnerability to take full control over the unpatched system.
Although it is not easy for credentials to be obtained, attackers could use various techniques, such as phishing and brute-forcing to steal said credentials and proceed with the attack.
Therefore, NSA urges all government organizations to apply VMware-provided patches amid ongoing attacks.
Ongoing Attacks
According to the NSA’s advisory, despite all warnings, Russian state-sponsored hackers have managed to exploit the vulnerability and used it to escalate access to an undisclosed organization’s network.
The attackers have installed a web shell on a vulnerable VMware Workspace ONE system and then generated SAML credentials for themselves.
Then, the newly-generated credentials were used to access and steal sensitive information from the target’s Microsoft ADFS (Active Directory Federation Services) servers.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.