Share this article on:
The U.S. National Security Agency (NSA) has issued a cybersecurity advisory warning Russian state-sponsored hacking groups are targeting a vulnerability in VMWare virtual workspaces used to support remote working.
The flaw, tracked as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being exploited to gain access to enterprise networks and protected data on the affected systems.
The flaw is a command-injection vulnerability in the administrative configurator component of the affected products. The vulnerability can be exploited remotely by an attacker with valid credentials and access to the administrative configurator on port 8443. If successfully exploited, an attacker would be able to execute commands with unrestricted privileges on the operating system and access sensitive data.
VMWare released a patch to correct the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been compromised, along with steps to eradicate threat actors who have already exploited the flaw.
The flaw may not have been given priority by system administrators as it was only rated by VMWare as ‘important’ severity, with a CVSS v3 base score of 7.2 out of 10 assigned to the flaw. The relatively low severity rating is because a valid password must be supplied to exploit the flaw and the account is internal to the impacted products. However, as the NSA explained, the Russian threat actors are already exploiting the flaw using stolen credentials.
In attacks observed by the NSA, the hackers exploited the command injection flaw, installed a web shell, followed by malicious activity where SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), granting access to protected data.
The best way of preventing exploitation is to apply the VMWare patch as soon as possible. If it is not possible to apply the patch, it is important to ensure that strong, unique passwords are set to protect against brute force attempts to crack passwords. The NSA also recommends administrators ensure the web-based management interface is not accessible over the Internet.
Strong passwords will not prevent the flaw from being exploited and will not provide protection if the flaw has already been exploited. “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” explained the NSA. “Otherwise, SAML assertions could be forged, granting access to numerous resources.” If integrating authentication servers with ADFS, the NSA recommends following Microsoft’s best practices, especially for securing SAML assertions. Multi-factor authentication should also be implemented.
The NSA has published a workaround that can be used to prevent exploitation until the patch can be applied and recommends reviewing and hardening configurations and monitoring federated authentication providers.
Unfortunately, detecting exploitation of the vulnerability can be difficult. “Network-based indicators are unlikely to be effective at detecting exploitation since the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel associated with the web interface,” explained the NSA in the advisory. The intrusion can, however, be identified from server logs that can be found at /opt/vmware/horizon/workspace/logs/configurator.log. The present of an exit statement followed by a three-digit number within the configurator.log suggests the flaw may already have been exploited.
VMWare recommends all customers refer to VMSA-2020-0027 for information on this vulnerability.