Russian state-sponsored hackers exploit vulnerability in VMware Workspace ONE



The US National Security Agency (NSA) is warning organizations to patch or take mitigation steps to close a vulnerability in several VMware products that Russian state-sponsored hackers are exploiting to hijack authentication tokens and access sensitive data on other systems.

The vulnerability, tracked as CVE-2020-4006, is a command injection flaw in the web administration interface of VMware Workspace One Access, VMware Workspace One Access Connector, VMware Identity Manager (vIDM), VMware Identity Manager Connector, VMware Cloud Foundation and vRealize Suite Lifecycle Manager. By exploiting the flaw, attackers can execute commands on the underlying operating system.

“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data,” the NSA said in its advisory Monday.

VMware vulnerability mitigation 

The NSA reported the vulnerability to VMware, which released patches for the affected products last week. The company also published temporary workarounds that can be manually applied to both Linux and Windows-based deployments. These changes must be reverted before applying the patches later.

One of NSA’s recommendations is also to restrict access to the 8443 port, which is used for the administrator interface to only a small set of trusted systems. This interface should also not be exposed directly to the internet.

Detecting exploitation attempts by inspecting network traffic is hard because the vulnerable interface is accessed over encrypted TLS connections, so any actions the attackers take might not be visible to traffic inspection systems. However, artefacts left in the server logs can indicate the system was exploited.

Copyright © 2020 IDG Communications, Inc.


Source link