For the second time in less than a week, VMware is warning about a critical vulnerability (CVE-2020-4006). This time, the affected solutions are VMware Workspace One Access, Access Connector, VMware Identity Manager and VMware Identity Manager Connector.
As some of these are components of the VMware Cloud Foundation (vIDM) and vRealize Suite Lifecycle Manager (vIDM) product suites, those are impacted as well.
About the vulnerability (CVE-2020-4006)
Not much has been shared about CVE-2020-4006, except that it’s a command injection vulnerability that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.
The vulnerability was privately reported to VMware and the company categorized it as “critical.”
Affected products include:
- VMware Workspace One Access v20.10 (Linux)
- VMware Workspace One Access v20.01 (Linux)
- VMware Identity Manager v3.3.3 (Linux)
- VMware Identity Manager v3.3.2 (Linux)
- VMware Identity Manager v3.3.1 (Linux)
- VMware Identity Manager Connector v3.3.2 and 3.3.1 (Linux)
- VMware Identity Manager Connector v3.3.3, 3.3.2, and 3.3.1 (Windows)
- VMware Cloud Foundation (vIDM) v4.x (running on any platform)
- vRealize Suite Lifecycle Manager (vIDM) v8.x (running on any platform)
VMware did not say whether the flaw is under active exploitation, but they released workarounds (and instructions on how to remove them) as they are working on the patches.
“This workaround is relevant for the configurator hosted on port 8443. Impacts are limited to functionality performed by this service. Configurator-managed setting changes will not be possible while the workaround is in place. If changes are required please revert the workaround following the instructions below, make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed,” the company noted.
Last week, VMware patched critical flaws in its ESXi hypervisor that were exploited during the Tianfu Cup Pwn Contest that was held in Chengdu, China, earlier this month.
UPDATE (December 7, 2020, 9:10 a.m. PT):
VMware has re-classified CVE-2020-4006, lowering its severity. It is now deemed to be “important” (instead of “critical”) because “a malicious actor must posses valid credentials for the configurator admin account in order to attempt exploitation.”
That said, the NSA warns that Russian state-sponsored malicious cyber actors are actively exploiting it.
Security fixes have been released for all affected solutions, including one that has been added to the list recently – vIDM Connector for Windows (19.03.0.0, 19.03.0.1).