VMware Critical Zero Day Command Injection Vulnerability CVE-2020-4006

Imechapishwa: Nov 26, 2020 12:57

Advisory No:

Source:

Software Affected:

Overview

Description

Advisory No: TZCERT/SA/2020/11/26

Date of First Release: 26th November 2020

Source: VMware

Software Affected: 

  • VMware Workspace One Access    20.10 (Linux)
  • VMware Workspace One Access    20.01 (Linux)
  • VMware Identity Manager    3.3.3 (Linux)
  • VMware Identity Manager    3.3.2 (Linux)
  • VMware Identity Manager    3.3.1 (Linux)
  • VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)
  • VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)

Overview:

The vulnerability exists in multiple VMware products that allow a malicious actor with network access to execute commands with unrestricted privileges.

Description:

The vulnerability is caused by failure to prevent privilege escalation when a malicious actor with network access and valid admin password of administrative configurator via port 8443 execute commands with unrestricted privileges on the underlying operating system.

Impact:

Successful exploitation of the vulnerability could allow an adversary to take control of the affected system.

Solution:

VMware has not released updates to address this vulnerability; however, the workaround has been released to fully remove the attack vector on the affected systems and prevent the exploitation. This workaround applies ONLY to VMware Workspace One Access, VMware Identity Manager, and VMware Identity Manager Connector.

Users of the affected systems are advised to implement the following workaround;

Implement Workaround for Linux-based appliances

  1. Use SSH to connect to the affected appliance using “sshuser” credentials.
  2. Switch to root by typing su followed by root password.
  3. Run the following commands:

cd /opt/vmware/horizon/workspace

mkdir webapps.tmp

mv webapps/cfg webapps.tmp

mv conf/Catalina/localhost/cfg.xml webapps.tmp

service horizon-workspace restart

Implement Workaround for Windows-based servers

  1. Log in to affected servers as Administrator.
  2. Open a Command Prompt window and run the following commands:

net stop "VMwareIDMConnector"

cd \VMware\VMwareIdentityManager\Connector\opt\vmware\horizon\workspace

mkdir webappstmp

move webapps\cfg webappstmp

move conf\Catalina\localhost\cfg.xml webappstmp

net start "VMwareIDMConnector"

References:

  1. https://kb.vmware.com/s/article/81731
  2. https://www.vmware.com/security/advisories/VMSA-2020-0027.html

Impact

Solution

References

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio