NSA Warns: Patched VMware Bug Under Active Attack

NSA Warns: Unpatched VMware Bug Under Active Exploit

Feds are warning that adversaries are exploiting a weeks-old bug in VMware’s Workspace One Access and VMware Identity Manager products.

Active attacks against a flaw in VMware’s Workspace One Access continue, three days after the vendor patched the vulnerability and urged customers to fix the bug (classified as a zero-day at the time). Now the U.S. National Security Agency (NSA) has escalated concerns and on Monday warned that foreign adversaries have zeroed in on exploiting – specifically VMware’s Workspace One Access and its Identity Manager products.

Those VMware products are two of 12 impacted by a command-injection vulnerability, tracked as CVE-2020-4006, and patched on Friday. At the time, VMware said there were no reports of exploitation in the wild.

According to the NSA, Russian-state threat actors are now leveraging the vulnerability to launch attacks to pilfer protected data and abuse shared authentication systems.

“The exploitation(s), via command injection, led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,” wrote the NSA in its security bulletin (PDF).

SAML stands for Security Assertion Markup Language, which is a standard used by organizations to exchange authentication and authorization data. SAML is used primarily as a means of enabling single sign-on between web domains.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” the NSA wrote. “Otherwise, SAML assertions could be forged, granting access to numerous resources. If integrating authentication servers with ADFS, NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication.”

VMware originally disclosed the vulnerability in late November – identifying it as an escalation-of-privileges flaw that impacts Workspace One Access and other platforms, for both Windows and Linux operating systems. A total of 12 product versions are impacted the flaw.

On Friday, VMware urged customers to update affected systems to the latest version as soon as possible to mitigate the issue. On Monday, the NSA urged IT security teams to review and harden configurations and monitoring of federated authentication providers. Details regarding a number of workaround mitigations are described by the NSA (PDF) and VMware.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware wrote in an updated advisory last week.

At the time VMware revised the CVSS severity rating for the bug from “critical” to “important.” It explained, an attacker would need prior-knowledge of a password associated with the use of one of the products to exploit the vulnerability.

The password would need to be obtained via tactics such as phishing or brute forcing/credential stuffing, it wrote.

The Department of Homeland Security’s US-CERT, on Monday, also updated an existing security bulletin regarding the bug. However, the agency did not attribute  the attacks to any specific group.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles