After VMware released security updates for CVE-2020-4006 last week, the National Security Agency (NSA) is now warning that Russian state-sponsored actors are exploiting unpatched systems to deploy web shells and steal information. The vulnerability was initially rated as “critical”, but VMware lowered the severity rating to “important” after releasing a patch and due to the exploit requiring valid credentials for the configurator account. Affected VMware products include:
- VMware Workspace One Access 20.01, 20.10 (Linux)
- VMware Identity Manager (vIDM) 3.3.1 up to 3.3.3 (Linux)
- VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2 (Linux)
- VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3 / 19.03.0.0, 19.03.0.1 (Windows)
- VMware Cloud Foundation 6 4.x
- VMware vRealize Suite Lifecycle Manager 7 8.x
Attacks involving CVE-2020-4006 involved threat actors connecting to exposed web-based management interface of the vulnerable products to install web shells through command injection. If successful, the actors would then steal sensitive data using SAML credentials and attempt to gain access to Microsoft Active Directory Federation Services (ADFS) servers.
Binary Defense urges organizations running the listed vulnerable versions of VMware products to update as soon as possible. VMware has provided a list of patches for each product in a security advisory. For those unable to patch, a workaround has also been provided, though this should not be used as a permanent solution. In addition to applying the patch or workaround, access to the web-based management interface should be restricted so that it is not externally accessible. If external access is needed, this should be done through VPN.