VMware Rolls a Fix for Formerly Critical Zero-Day Bug

  • VMware has issued a comprehensive patch and revised the severity stage of the NSA-claimed vulnerability to “important.”

    VMware has patched a zero-working day bug that was disclosed in late November – an escalation-of-privileges flaw that impacts Workspace Just one and other platforms, for the two Windows and Linux working systems.

    VMware has also revised the CVSS severity score for the bug to “important,” down from critical.

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) experienced originally flagged the unpatched security vulnerability on Nov. 23, which influences 12 VMware versions throughout its Cloud Foundation, Identification Manager, vRealize Suite Lifecycle Manager and Workspace A single portfolios. It was documented to the corporation by the National Security Agency (NSA).

    Tracked as CVE-2020-4006, the bug allows command injection, according to the company’s advisory.

    “A malicious actor with network access to the administrative configurator on port 8443 and a legitimate password for the configurator admin account can execute commands with unrestricted privileges on the underlying working procedure,” VMware wrote in an up to date advisory on Thursday.

    Though the bug was at first presented a 9.1 out of 10 on the CVSS severity scale, even more investigation confirmed that any attacker would need to have the password pointed out in the update, making it significantly more challenging to exploit proficiently. Its ranking is now 7.2, building it “important” fairly than “critical.”

    “This account is inside to the impacted products and a password is established at the time of deployment,” according to the advisory. “A destructive actor have to possess this password to attempt to exploit CVE-2020-4006.”

    The password would have to have to be obtained by using ways like phishing or brute forcing/credential stuffing, it additional.

    When the vulnerability was disclosed in November, the business issued workarounds “for a temporary alternative to protect against exploitation of CVE-2020-4006,” with the tradeoff that configurator-managed location alterations are achievable although the workaround is in spot. Nevertheless, a entire patch is now out there.

    The products impacted by the vulnerability are:

    • VMware Workspace One particular Accessibility (Obtain)
    • VMware Workspace A single Entry Connector (Entry Connector)
    • VMware Identity Supervisor (vIDM)
    • VMware Id Supervisor Connector (vIDM Connector)
    • VMware Cloud Foundation
    • vRealize Suite Lifecycle Manager

    Versions impacted are:

    • VMware Workspace One Access 20.01, 20.10 (Linux)
    • VMware Identity Supervisor 3.3.3, 3.3.2, 3.3.1 (Linux)
    • VMware Identification Manager Connector 3.3.2, 3.3.1 (Linux)
    • VMware Identity Supervisor Connector 3.3.3, 3.3.2, 3.3.1 (Windows)
    • VMware Cloud Basis 4.x (Linux and Windows)
    • vRealize Suite Lifecycle Manager 8.x (Linux and Windows)

    There have been no studies of exploitation in the wild.

    Put Ransomware on the Operate: Save your place for “What’s Following for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware environment and how to battle again.

    Get the newest from John (Austin) Merritt, Cyber Danger Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new types of assaults. Subject areas will incorporate the most hazardous ransomware menace actors, their evolving TTPs and what your group requires to do to get in advance of the subsequent, unavoidable ransomware attack. Sign-up here for the Wed., Dec. 16 for this LIVE webinar.