The U.S. Cybersecurity and Infrastructure Security Agency is warning of a zero-day bug affecting six VMware products including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager.
The critical unpatched bug is a command injection vulnerability.
In a separate VMware advisory, the company did not indicate whether the vulnerability was under active attack. Tracked as CVE-2020-4006, the bug has a CVSS severity rating of 9.1 out of 10. The company said patches are “forthcoming” and that workarounds “for a temporary solution to prevent exploitation of CVE-2020-4006” are available.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware wrote.
The products impacted by the vulnerability are:
- VMware Workspace One Access (Access)
- VMware Workspace One Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
A total of 12 product versions are impacted.
Workarounds outlined by VMware are “meant to be a temporary solution only, and customers are advised to follow VMSA-2020-0027 to be alerted when patches are available,” wrote the company.
Versions impacted include:
- VMware Workspace One Access 20.10 (Linux)
- VMware Workspace One Access 20.01 (Linux)
- VMware Identity Manager 3.3.3 (Linux)
- VMware Identity Manager 3.3.2 (Linux)
- VMware Identity Manager 3.3.1 (Linux)
- VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)
- VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)
The workaround tradeoff, once implemented, is that in each of the VMware services, configurator-managed setting changes will not be possible while the workaround is in place.
“If changes are required please revert the workaround following the instructions … make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed,” VMware explained.