Vulnerability in VMWare Virtual Workspaces Exploited by Russian State-Sponsored Hackers

The U.S. National Security Agency (NSA) has given a cybersecurity alert regarding the campaign of Russian state-sponsored hacking groups to target a vulnerability identified in VMWare virtual workspaces employed to facilitate remote working.

The vulnerability, monitored as CVE-2020-4006, is found in some versions of VMware Workspace One Access, Identity Manager, Access Connector, and Identity Manager Connector items. Hackers are exploiting this to get access to business networks and protected information on the systems affected.

The vulnerability is a command injection vulnerability found in the administrative configurator part of the impacted products. An attacker could exploit the vulnerability remotely using valid credentials and tinker with the administrative configurator located on port 8443. If an attacker succeeds at exploitation, he could implement commands with unhindered privileges on the OS and obtain sensitive information.

VMWare introduced a patch to fix the problem on December 3, 2020 and additionally released information to assist network defenders to find compromised networks, and provide steps to get rid of threat actors that are exploiting the vulnerability.

VMWare system administrators did not give priority to the vulnerability considering the CVSS v3 base score of 7.2 out of 10 or ‘important’ severity given to it. The somewhat low severity score is due to the fact that an attacker must have a valid password first to be able to exploit the vulnerability. In addition, the account is internal to the affected products. Nonetheless, the NSA explained that Russian threat actors are now using stolen credentials to exploit the vulnerability.

In attacks monitored by the NSA, the attackers took advantage of the command injection vulnerability, set up a web shell, started a malicious activity that generated SAML authentication assertions, and sent that to Microsoft Active Directory Federation Services (ADFS), getting access to protected information.

The easiest way to prevent exploitation is to use the VMWare patch immediately. If not able to use the patch, it is essential to make sure that strong, unique passwords are used to shield against brute force attempts to resolve passwords. The NSA additionally advises administrators to make sure to keep its internet-based management interface inaccessible online.

Strong passwords won’t keep the vulnerability from exploitation and won’t protect when the vulnerability is already exploited. It is crucial when using systems that execute authentication to make sure to properly configure the server and all the services that depend on it for safe operation and usage. If not, SAML assertions may be falsified, giving access to a lot of resources. Whenever connecting authentication servers with ADFS, the NSA suggests adhering to Microsoft’s guidelines, particularly for safeguarding SAML assertions. Using multi-factor authentication is also recommended.

The NSA has suggested a means to avoid exploitation until patching is done. It advises examining and hardening settings and tracking federated authentication providers.

Sad to say, it is hard to detect vulnerability exploitation. The NSA explains in the advisory that network-based monitors are most likely not effective at identifying exploitation because the activity happens solely within an encrypted transport layer security (TLS) tunnel connected with the internet interface. The attack could, however, be recognized from server records that may be located at opt/vmware/horizon/workspace/logs/configurator.log. The appearance of an exit statement with a three-digit number inside the configurator.log indicates that an attacker already exploited the vulnerability.

VMWare advises all consumers to contact VMSA-2020-0027 for more details on this vulnerability.