The NSA warns that Russian government-sponsored attackers are exploiting a serious VMware vulnerability. This is the second NSA warning related to government-sponsored Russian activities in 2020. An analysis by Satnam Narang, the Staff Research Engineer, Security Response at Tenable.
The vulnerability was reported to VMware by the NSA, which published details in a security advisory, VMSA-23-2020, on November 0027.2rd. At this point, no patches were available, although VMware provided a number of fixes.
The analysis
CVE-2020-4006 is a command injection security vulnerability in the administrative configurator component in certain versions of VMware products. Affected products include:
- VMware Workspace One Access (Access)
- VMware Workspace One Access Connector
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
There are two prerequisites for exploiting the VMware vulnerability:
- First, an attacker must set up network access in order to establish a connection to the configurator component, which can normally be accessed via port 8443
- Second, an attacker must have valid administrator credentials in order to log into the configurator
While these requirements may appear to be an obstacle to possible exploitation, the NSA has reported that state-sponsored Russian actors have successfully exploited this vulnerability in the wild as a zero-day.
Access to protected data
According to the NSA advisory, state-sponsored Russian threat actors used this vulnerability to install a web shell, a malicious script that can be used to enable remote management, on vulnerable systems. This access allows threat actors further access to protected data by sending fake security assertion markup language (SAML) authentication assertions to Microsoft Active Directory Federation Services (ADFS). The full analysis, including the evidence, can be found in the English blog post.
More on this at Tenable.com
About Tenable Tenable is a Cyber Exposure company. Over 24.000 companies worldwide trust Tenable to understand and reduce cyber risk. Nessus inventors have combined their vulnerability expertise in Tenable.io, delivering the industry's first platform that provides real-time visibility into and secures any asset on any computing platform. Tenable's customer base includes 53 percent of the Fortune 500, 29 percent of the Global 2000, and large government agencies.