VMware has released short-term workarounds to address a critical vulnerability in its products and solutions that could be exploited by an attacker to choose regulate of an afflicted program.
“A malicious actor with network entry to the administrative configurator on port 8443 and a legitimate password for the configurator admin account can execute commands with unrestricted privileges on the underlying functioning method,” the virtualization software package and services agency observed in its advisory.
Tracked as CVE-2020-4006, the command injection vulnerability has a CVSS rating of 9.1 out of 10 and impacts VMware Workspace A single Accessibility, Accessibility Connector, Id Manager, and Id Manager Connector.
Although the company mentioned patches for the flaw are “forthcoming,” it didn’t specify an precise date by when it is really predicted to be produced. It really is unclear if the vulnerability is below lively attack.
The finish listing of merchandise impacted are as follows:
- VMware Workspace One particular Entry (variations 20.01 and 20.10 for Linux and Windows)
- VMware Workspace A single Obtain Connector (versions 20.10, 20.01.., and 20.01..1 for Windows)
- VMware Id Supervisor (variations 3.3.1, 3.3.2, and 3.3.3 for Linux and Windows)
- VMware Identification Manager Connector (versions 3.3.1, 3.3.2 for Linux and 3.3.1, 3.3.2, 3.3.3 for Windows)
- VMware Cloud Foundation (variations 4.x for Linux and Windows)
- vRealize Suite Lifecycle Manager (versions 8.x for Linux and Windows)
VMware mentioned the workaround applies only to the administrative configurator assistance hosted on port 8443.
“Configurator-managed environment adjustments will not be attainable when the workaround is in put,” the company mentioned. “If improvements are demanded you should revert the workaround pursuing the directions below, make the needed variations and disable once more right up until patches are available.”
The advisory will come times immediately after VMware dealt with a critical flaw in ESXi, Workstation, and Fusion hypervisors that could be exploited by a malicious actor with community administrative privileges on a digital device to execute code and escalate their privileges on the impacted process (CVE-2020-4004 and CVE-2020-4005).
The vulnerability was discovered by Qihoo 360 Vulcan Group at the 2020 Tianfu Cup Pwn Contest held earlier this month in China.
Located this short article interesting? Observe THN on Fb, Twitter and LinkedIn to browse additional unique information we post.