Russian state actors exploiting VMware bug to hijack data, users warned

VMware users should take immediate action to patch a serious vulnerability – assigned CVE-2020-4006 – affecting multiple products, which is being actively exploited by Russian state-backed malicious actors targeting critical systems.

The command injection vulnerability was first disclosed by the US National Security Agency (NSA) and affects VMware Workspace One Access (Access), VMware Workspace One Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

To exploit it, malicious actors need to have password-based access to the web-based management interface of the target system – which is not necessarily hard to obtain.

Once attackers have access to the administrative configurator and a valid password, exploitation via command injection then leads to the installation of a web shell from where they can generate credentials in the form of security assertion markup language (SAML) authentication assertions. These forged credentials can, in turn, be used to access protected data.

“NSA strongly recommends that NSS, DoD, and DIB system administrators apply the vendor-issued patch as soon as possible. If a compromise is suspected, check server logs and authentication server configurations as well as applying the product update,” the agency said in its advisory notice.

“In the event that an immediate patch is not possible, system administrators should apply mitigations detailed in the advisory to help reduce risk of exploitation, compromise [or] attack.”

The NSA said the advisory emphasised the importance for defence sector system administrators to apply supplier-provided patches in a timely fashion. It did not specifically name any specific actors or Russian agencies involved in the exploitation of CVE-2020-4006.

VMware confirmed the vulnerability, which has been evaluated to be of “important” severity, and has already released a number of fixes and workarounds, which can be accessed at its website.

The supplier acknowledged the work of the NSA in uncovering and reporting the vulnerability.

Although NSA cyber security advisories are in general aimed at within the US government, military and defence sector, the importance of patching to any worldwide user of the affected VMware products cannot be understated.

This is particularly true during the extended period of mass remote working during the Covid-19 pandemic, that has seen a great many organisations pivot their IT estates towards the cloud and, for many, this will bring an increased reliance on services from the likes of VMware, particularly the identity and access management (IAM) products affected by the vulnerability.