The National Security Agency (NSA) has issued a security alert to all government agencies to patch their systems against a vulnerability in VMware products. It said that Russian state-sponsored groups are attacking these vulnerable systems which let them install web shells and steal data ultimately.
Patch Available For the VMware Vulnerability
The issues as defined by NSA are in VMware products, to which the vendor has already passed patch updates earlier this month, after disclosing it a couple of weeks before it. But since the NSA tracks continuing attacks against some agencies, it asked them to apply the patches.
More specifically, it asked the network administrators of the “National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB)” to mitigate the vulnerability. When asked for the specifics of the Russian groups that are attacking, NSA denied detailing them.
The vulnerability is tracked as CVE-2020-4006 and affects the following VMware products;
- VMware Workspace One Access 20.01, 20.10 (Linux)
- VMware Identity Manager (vIDM) 3.3.1 up to 3.3.3 (Linux)
- VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2 (Linux)
- VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3 / 19.03.0.0, 19.03.0.1 (Windows)
- VMware Cloud Foundation 6 4.x
- VMware vRealize Suite Lifecycle Manager 7 8.x
VMware has initially suggested some workarounds for safeguarding the until the patch, which NSA too has recommended trying. But since the official patch is available, it now urges admins to update their products to patched versions to avoid being attacked.
They detailed that attackers start exploiting this vulnerability by initially connecting to the exposed web-based management interface of vulnerable VMware products, and installing the web shells through a command injection.
They then use the SAML credentials to gain access to Microsoft Active Directory Federation Services (ADFS) servers and ultimately steal sensitive data. Thus, NSA suggested following the securing SAML assertions and multi-factor authentication of Microsoft.
Further, it suggested checking the server logs in case of any suspicion to find out if they have been infected, instead of the network indicators. Also, trying workarounds in Linux and Windows servers is suggested too.
While this vulnerability has received the maximum severity score when disclosed, it was reduced to ‘Important’ after VMware released the patch. This is because VMware said the attackers need a valid password to exploit them.