Stories
Slash Boxes
Comments

SoylentNews is people

Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending

posted by Fnord666 on Tuesday November 24 2020, @02:42AM   Printer-friendly

upstart writes in with an IRC submission:

Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending:

VMware explained it has no patch for a critical escalation-of-privileges bug that impacts both Windows and Linux operating systems and its Workspace One.

The U.S. Cybersecurity and Infrastructure Security Agency is warning of a zero-day bug affecting six VMware products including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager.

The critical unpatched bug is a command injection vulnerability.

In a separate VMware advisory, the company did not indicate whether the vulnerability was under active attack. Tracked as CVE-2020-4006, the bug has a CVSS severity rating of 9.1 out of 10. The company said patches are "forthcoming" and that workarounds "for a temporary solution to prevent exploitation of CVE-2020-4006" are available.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending | Log In/Create an Account | Top | 4 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 5, Insightful) by Runaway1956 on Tuesday November 24 2020, @04:01AM (1 child)

    by Runaway1956 (2926) on Tuesday November 24 2020, @04:01AM (#1080890) Homepage Journal

    Everything comes down to remote administration, right? Given remote access, and a valid password, VMWare can be leveraged to take over the host machine.

    Known Attack Vectors

    A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system.

    Basically, it's the old theme of centralize, automate, connect via the internet, cut personnel, then wonder why the infrastructure is so vulnerable to passing hackers.

    --
    Abortion is the number one killed of children in the United States.

    • (Score: 0) by Anonymous Coward on Tuesday December 08 2020, @03:38AM

      by Anonymous Coward on Tuesday December 08 2020, @03:38AM (#1085120)

      This sounds like a potential feature too, I mean if you're already admin, does this allow you to "recover access" to machines that you've lost access to? :)

  • (Score: 0) by Anonymous Coward on Tuesday November 24 2020, @06:33PM (1 child)

    by Anonymous Coward on Tuesday November 24 2020, @06:33PM (#1081040)

    anyone who uses vmware (gpl violating scum) deserves to be compromised.

    • (Score: 0) by Anonymous Coward on Tuesday November 24 2020, @10:06PM

      by Anonymous Coward on Tuesday November 24 2020, @10:06PM (#1081110)

      Yeah, but their product that violates the GPL isn't one of the affected products.

      Seriously though, in a certain space, there isn't much choice. We use vmware at my work. There is no way that most folks there would be ok with switching to something like KVM. Even with a user friendly skin like Proxmox, you still don't have much in the way of support from backup software vendors, etc. So, it is really a choice between vmware or microsoft. Even with their gpl violations, vmware is the better choice of the two.

      But, agreed that vmware is a shitty company for the way they handled the gpl violation issue (among other reasons).

(1)