VMware Rolls a Fix for Formerly Critical Zero-Day Bug

vmware patch security bug

VMware has issued a full patch and revised the severity level of the NSA-reported vulnerability to “important.”

VMware has patched a zero-day bug that was disclosed in late November – an escalation-of-privileges flaw that impacts Workspace One and other platforms, for both Windows and Linux operating systems.

VMware has also revised the CVSS severity rating for the bug to “important,” down from critical.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had originally flagged the unpatched security vulnerability on Nov. 23, which affects 12 VMware versions across its Cloud Foundation, Identity Manager, vRealize Suite Lifecycle Manager and Workspace One portfolios. It was reported to the company by the National Security Agency (NSA).

Tracked as CVE-2020-4006, the bug allows command injection, according to the company’s advisory.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware wrote in an updated advisory on Thursday.

While the bug was originally given a 9.1 out of 10 on the CVSS severity scale, further investigation showed that any attacker would need the password mentioned in the update, making it much harder to exploit effectively. Its rating is now 7.2, making it “important” rather than “critical.”

“This account is internal to the impacted products and a password is set at the time of deployment,” according to the advisory. “A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”

The password would need to be obtained via tactics like phishing or brute forcing/credential stuffing, it added.

When the vulnerability was disclosed in November, the company issued workarounds “for a temporary solution to prevent exploitation of CVE-2020-4006,” with the tradeoff that configurator-managed setting changes are possible while the workaround is in place. However, a full patch is now available.

The products impacted by the vulnerability are:

  • VMware Workspace One Access (Access)
  • VMware Workspace One Access Connector (Access Connector)
  • VMware Identity Manager (vIDM)
  • VMware Identity Manager Connector (vIDM Connector)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

Versions impacted are:

  • VMware Workspace One Access 20.01, 20.10 (Linux)
  • VMware Identity Manager 3.3.3, 3.3.2, 3.3.1 (Linux)
  • VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)
  • VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)
  • VMware Cloud Foundation 4.x (Linux and Windows)
  • vRealize Suite Lifecycle Manager 8.x (Linux and Windows)

There have been no reports of exploitation in the wild.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.


Suggested articles