Recently disclosed CVE-2020-4006 VMware zero-day was reported by NSA

VMware addressed CVE-2020-4006 zero-day flaw in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.

VMware has finally released security updates to fix the CVE-2020-4006 zero-day flaw in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.

At the end of November, VMware only has released a workaround to address the critical zero-day vulnerability that affects multiple VMware Workspace One components. VMware Workspace ONE allows to simply and securely deliver and manage any app on any device. The flaw is a command injection bug that could be exploited by attackers to execute commands on the host Linux and Windows operating systems using escalated privileges.

“VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector contain a Command Injection Vulnerability in the administrative configurator. VMware has evaluated the this issue to be of Critical severity with a maximum CVSSv3 base score of 9.1.” reads the security advisory published by the virtualization giant.

Affected versions are:

• VMware Workspace One Access 20.10 (Linux)
• VMware Workspace One Access  20.01 (Linux)
• VMware Identity Manager 3.3.1 up to 3.3.3 (Linux)
• VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)
• VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)

The Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory on the CVE-2020-4006 zero-day flaw.

“VMware has released workarounds to address a vulnerability—CVE-2020-4006—in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker could exploit this vulnerability to take control of an affected system.” reads the CISA’s advisory.

At the time of the public disclosure of the flaw, VMware did not reveal the identity of the organization or researcher who reported the vulnerability. Now the virtualization giant confirmed that the zero-day vulnerability was reported by the US intelligence agency NSA.

VMware downplayed the severity of the bug to 7.2/10 score rating the issue from ‘Critical’ to ‘Important.’

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” the advisory explains.

“This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”

Below the list of updates for CVE-2020-4006 provided by the company.

Affected product	Patch
VMware Workspace ONE Access	20.10
VMware Workspace ONE Access	20.01
VMware Identity Manager	19.03
VMware Identity Manager	19.03.0.1
VMware Identity Manager	3.3.3
VMware Identity Manager	3.3.2
VMware Identity Manager	3.3.1

DHS-CISA published an alert to encourage admins and users to install the security updates released by VMware to prevent CVE-2020-4006 exploitation.

“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review VMware Security Advisory VMSA-2020-0027.2 and apply the necessary updates.” states the advisory published by CISA.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]