Because of lockdown measures, remote work and schooling has become the norm for hundreds of millions around the world. That said, the revolution was already underway before 2020 and many apps and services focus on providing distance work features. Like any other tech realm that achieves mainstream success, there are bad actors who want to exploit people using apps. Some of those threat actors are state sponsored. According to an advisory by the National Security Agency in the U.S., Russian-backed hacking groups are targeting remote workers. Specifically, the NSA says these groups are targeting vulnerabilities found in many enterprise-grade remote work solutions from VMware. In response, VMware issued its own bulletin last week that provides information on patches to prevent the flaw being further exploited. In its advisory, the CISA confirmed VMware’s patches: “VMware has released security updates to address a vulnerability—CVE-2020-4006—in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker could exploit this vulnerability to take control of an affected system.”
Patches Available
All the vulnerable services are cloud infrastructure solutions and related to identity management. Among them are VMware Identity Manager, it’s successor VMware Workspace One Access, and others. According to the company the vulnerabilities are “Important” but not “Critical”: “VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector contain a Command Injection Vulnerability in the administrative configurator.” That rating comes because any attack must come from having prior access to a web-based password-protected management interface. “A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system. This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006. Examples of how this password could be obtained by a malicious actor are documented in T1586 of the MITRE ATT&CK database.” VMware advises customers to install the patches to mitigate the attack vulnerability.