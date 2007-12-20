Stories
NSA Says Russian State Hackers Using a VMware Flaw to Ransack Networks

Tuesday December 08, @02:59AM
The National Security Agency says that Russian state hackers are compromising multiple VMware systems in attacks that allow the hackers to install malware, gain unauthorized access to sensitive data, and maintain a persistent hold on widely used remote work platforms.

The in-progress attacks are exploiting a security bug that remained unpatched until last Thursday, the agency reported on Monday. CVE-2020-4006, as the flaw is tracked, is a command-injection flaw, meaning it allows attackers to execute commands of their choice on the operating system running the vulnerable software. These vulnerabilities are the result of code that fails to filter unsafe user input such as HTTP headers or cookies. VMware patched CVE-2020-4006 after being tipped off by the NSA.

Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending

Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending 4 comments

upstart writes in with an IRC submission:

Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending:

VMware explained it has no patch for a critical escalation-of-privileges bug that impacts both Windows and Linux operating systems and its Workspace One.

The U.S. Cybersecurity and Infrastructure Security Agency is warning of a zero-day bug affecting six VMware products including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager.

The critical unpatched bug is a command injection vulnerability.

In a separate VMware advisory, the company did not indicate whether the vulnerability was under active attack. Tracked as CVE-2020-4006, the bug has a CVSS severity rating of 9.1 out of 10. The company said patches are "forthcoming" and that workarounds "for a temporary solution to prevent exploitation of CVE-2020-4006" are available.

  • (Score: 0) by Anonymous Coward on Tuesday December 08, @03:35AM

    by Anonymous Coward on Tuesday December 08, @03:35AM (#1085119)

    For attackers to exploit the VMware flaw, they first must gain authenticated password-based access to the management interface of the device. The interface by default runs over Internet port 8443. Passwords must be manually set upon installation of software, a requirement that suggests administrators are either choosing weak passwords or that the passwords are being compromised through other means.

    VMWare not secure when admin passwords are weak or leaked. Thanks Captain Obvious.

    Seriously, so what's the real flaw? The flaw makes it easier for those with admin access to pwn their machines? That could even be a feature in some cases... ;)

