Vulnerability in VMWare Virtual Workspaces Targeted by Russian State-Sponsored Hackers

by | Dec 11, 2020

The U.S. National Security Agency (NSA) has issued a cybersecurity advisory warning Russian state-sponsored hacking groups are targeting a vulnerability in VMWare virtual workspaces used to support remote working.

The flaw, tracked as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being exploited to gain access to enterprise networks and protected data on the affected systems.

The flaw at hand is a vulnerable command-injection in the administrative configuration component – this can easily be exploited and used to execute commands with no barriers while accessing sensitive and important data.

VMWare released a patch to correct the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been compromised, along with steps to eradicate threat actors who have already exploited the flaw.

This critical flaw could have been overlooked easily by admins as the system only rated the threat with a CVSS V3 based score of 7.2/10 – a low score.

This is because a valid password must be used to even exploit the flaw but Russian threat actors have already used stolen credentials to access it.

In attacks observed by the NSA, the hackers exploited the command injection flaw, installed a web shell, followed by malicious activity where SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), granting access to protected data.

To prevent further exploits, they need to fix this as soon as possible. If not possible to apply the patch, it is important to ensure that strong, unique passwords are set to protect against brute force attempts to crack passwords. The NSA also recommends administrators ensure the web-based management interface is not accessible over the Internet.

However, strong and unique passwords won’t stop this flaw from being heavily exploited. “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” explained the NSA. “Otherwise, SAML assertions could be forged, granting access to numerous resources.” If integrating authentication servers with ADFS, the NSA recommends following Microsoft’s best practices, especially for securing SAML assertions. Multi-factor authentication should also be implemented.

 Recently, the NSA released a solution that could be used to stop exploitation at least until the patch is applied and suggests reviewing and armouring configurations and monitoring federated authentication providers.

Unfortunately, detecting exploitation of the vulnerability can be difficult. “Network-based indicators are unlikely to be effective at detecting exploitation since the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel associated with the web interface,” explained the NSA in the advisory. The intrusion can, however, be identified from server logs that can be found at /opt/vmware/horizon/workspace/logs/configurator.log. The present of an exit statement followed by a three-digit number within the configurator.log suggests the flaw may already have been exploited.

VMWare recommends all customers refer to VMSA-2020-0027 for information on this vulnerability.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy