Vulnerability in VMWare Virtual Workspaces Targeted by Russian State-Sponsored Hackers

The U.S. National Security Agency (NSA) has issued a cybersecurity advisory warning Russian state-sponsored hacking groups are targeting a vulnerability in VMWare virtual workspaces used to support remote working.

The flaw, tracked as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being exploited to gain access to enterprise networks and protected data on the affected systems.

The flaw at hand is a vulnerable command-injection in the administrative configuration component – this can easily be exploited and used to execute commands with no barriers while accessing sensitive and important data.

VMWare released a patch to correct the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been compromised, along with steps to eradicate threat actors who have already exploited the flaw.

This critical flaw could have been overlooked easily by admins as the system only rated the threat with a CVSS V3 based score of 7.2/10 – a low score.

This is because a valid password must be used to even exploit the flaw but Russian threat actors have already used stolen credentials to access it.

In attacks observed by the NSA, the hackers exploited the command injection flaw, installed a web shell, followed by malicious activity where SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), granting access to protected data.

To prevent further exploits, they need to fix this as soon as possible. If not possible to apply the patch, it is important to ensure that strong, unique passwords are set to protect against brute force attempts to crack passwords. The NSA also recommends administrators ensure the web-based management interface is not accessible over the Internet.

However, strong and unique passwords won’t stop this flaw from being heavily exploited. “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” explained the NSA. “Otherwise, SAML assertions could be forged, granting access to numerous resources.” If integrating authentication servers with ADFS, the NSA recommends following Microsoft’s best practices, especially for securing SAML assertions. Multi-factor authentication should also be implemented.

 Recently, the NSA released a solution that could be used to stop exploitation at least until the patch is applied and suggests reviewing and armouring configurations and monitoring federated authentication providers.

Unfortunately, detecting exploitation of the vulnerability can be difficult. “Network-based indicators are unlikely to be effective at detecting exploitation since the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel associated with the web interface,” explained the NSA in the advisory. The intrusion can, however, be identified from server logs that can be found at /opt/vmware/horizon/workspace/logs/configurator.log. The present of an exit statement followed by a three-digit number within the configurator.log suggests the flaw may already have been exploited.

VMWare recommends all customers refer to VMSA-2020-0027 for information on this vulnerability.