Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending

Accepted submission by upstart at 2020-11-23 21:47:32
News

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

upstart [soylentnews.org] writes in with an IRC submission:

Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending [threatpost.com]:

Share this article:

VMware explained it has no patch for a critical escalation-of-privileges bug that impacts both Windows and Linux operating systems and its Workspace One.

The U.S. Cybersecurity and Infrastructure Security Agency is warning [cisa.gov] of a zero-day bug affecting six VMware products including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager.

The critical unpatched bug is a command injection vulnerability.

In a separate VMware advisory [vmware.com], the company did not indicate whether the vulnerability was under active attack. Tracked as CVE-2020-4006 [mitre.org], the bug has a CVSS severity rating of 9.1 out of 10. The company said patches are “forthcoming” and that workarounds “for a temporary solution to prevent exploitation of CVE-2020-4006” are available.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware wrote.

The products impacted by the vulnerability are:

  • VMware Workspace One Access (Access)
  • VMware Workspace One Access Connector (Access Connector)
  • VMware Identity Manager (vIDM)
  • VMware Identity Manager Connector (vIDM Connector)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

A total of 12 product versions are impacted.

Workarounds outlined by VMware [vmware.com] are “meant to be a temporary solution only, and customers are advised to follow VMSA-2020-0027 [vmware.com] to be alerted when patches are available,” wrote the company.

Versions impacted include:

  • VMware Workspace One Access    20.10 (Linux)
  • VMware Workspace One Access    20.01 (Linux)
  • VMware Identity Manager    3.3.3 (Linux)
  • VMware Identity Manager    3.3.2 (Linux)
  • VMware Identity Manager    3.3.1 (Linux)
  • VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)
  • VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)

The workaround tradeoff, once implemented, is that in each of the VMware services, configurator-managed setting changes will not be possible while the workaround is in place.

“If changes are required please revert the workaround following the instructions … make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed,” VMware explained.

Original Submission