Attackers associated with the Russian government are exploiting a recently disclosed vulnerability in the VMware Workspace One enterprise management platform, and the NSA is warning government agencies and other likely targets to update their affected systems as soon as possible.
The vulnerability (CVE2020-4006) is a command-injection flaw and was disclosed in late November and at the time there was no patch available for it. Exploiting the flaw could give an attacker the ability to run arbitrary commands on the underlying operating system. VMware did issue a fix for the vulnerability on Thursday, but NSA said in an advisory Monday that attackers have been exploiting the bug in the interim. “Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication. VMware released a patch for the Command Injection Vulnerability captured in CVE-2020-4006 on December 3rd 2020,” the advisory says.
“NSA encourages National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to prioritize mitigation of the vulnerability on affected servers.”
The NSA itself reported the vulnerability to VMware.
The NSA advisory did not specify which group of Russian attackers is targeting the VMware vulnerability, but that’s of less importance than the fact that the exploitation activity is happening. The vulnerable VMware products are popular in enterprise environments and security teams should prioritize installing the updates as quickly as possible. There are a couple of mitigating factors for this vulnerability, with the most important one being that an attacker needs authenticated access to the target product.
“Password-based access to the web-based management interface of the device is required to exploit the vulnerability, so using a strong and unique password lowers the risk of exploitation. The risk is lowered further if the web-based management interface is not accessible from Internet,” the NSA advisory says.
The vulnerability affects VMware Workspace One components running on Linux and Windows, and is rated as Important, rather than critical, thanks to the need for a valid password on the target system.
Interestingly, the NSA itself reported the vulnerability to VMware.