A vulnerability that VMware patched recently in some of its products, is currently being exploited and Russian threat actors are leveraging this vulnerability to install malware on corporate systems and access protected data, the National Security Agency (NSA) warned on Monday.
The vulnerability is tracked as CVE-2020-4006 and was originally given a CVSS score of 9.1 out of a maximum of 10. It was revised last week to 7.2 to reflect the fact that a malicious actor must possess valid credentials for the configurator admin account in order to attempt exploitation. It has been found to affect VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products for Windows and Linux
The development comes two weeks after VMWare publicly disclosed the flaw. In late November, VMware pushed temporary workarounds to address the issue, stating permanent patches for the flaw were “forthcoming.” But it wasn’t until December 3rd the escalation-of-privileges bug was entirely resolved.
An attacker who has gained access to the system’s web-based management interface can exploit the vulnerability to execute arbitrary commands with elevated privileges on the underlying operating system.
In an advisory published on Monday, the NSA said “Russian state-sponsored malicious cyber actors” have been exploiting CVE-2020-4006, but it has not shared any information on the group (or groups) that launched the attacks or any of the targets. Based on the disclosure timeline, it’s likely that the security hole was being exploited before a patch was released.
The NSA did say that the vulnerability has been exploited as part of an attack that resulted in the attackers gaining access to sensitive data.
“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data,” the NSA said in its advisory.
SAML or Security Assertion Markup Language is an open standard and an XML-based markup for exchanging authentication and authorization data between identity providers and service providers to facilitate single sign-on (SSO).
The agency highlighted that setting a unique and strong password, as well as ensuring that the web-based management interface is not accessible from the internet, reduces the risk of exploitation. However, it noted that setting a strong password “would likely not mitigate an existing compromise.”