Menu
Russian state-sponsored hackers exploit vulnerability in VMware Workspace ONE

Russian state-sponsored hackers exploit vulnerability in VMware Workspace ONE

Exploit requires the attacker to have valid credentials, but experts advise patching regardless

Credit: Dreamstime

The US National Security Agency (NSA) is warning organisations to patch or take mitigation steps to close a vulnerability in several VMware products that Russian state-sponsored hackers are exploiting to hijack authentication tokens and access sensitive data on other systems.

The vulnerability, tracked as CVE-2020-4006, is a command injection flaw in the web administration interface of VMware Workspace One Access, VMware Workspace One Access Connector, VMware Identity Manager (vIDM), VMware Identity Manager Connector, VMware Cloud Foundation and vRealize Suite Lifecycle Manager. By exploiting the flaw, attackers can execute commands on the underlying operating system.

"The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data," the NSA said in its advisory Monday.

VMware vulnerability mitigation

The NSA reported the vulnerability to VMware, which released patches for the affected products last week. The company also published temporary workarounds that can be manually applied to both Linux and Windows-based deployments. These changes must be reverted before applying the patches later.

One of NSA's recommendations is also to restrict access to the 8443 port, which is used for the administrator interface to only a small set of trusted systems. This interface should also not be exposed directly to the internet.

Detecting exploitation attempts by inspecting network traffic is hard because the vulnerable interface is accessed over encrypted TLS connections, so any actions the attackers take might not be visible to traffic inspection systems. However, artefacts left in the server logs can indicate the system was exploited.

"The presence of an 'exit' statement followed by any three-digit number, such as 'exit 123', within the configurator.log would suggest that exploitation activity may have occurred on the system," the NSA advisory said. "This log can be found at /opt/vmware/horizon/workspace/logs/configurator.log on the server."

Impact and risk

Based on the NSA's description, the attackers used this vulnerability to pivot to other systems and data.

However, to gain access to the vulnerable administrative interface they needed valid credentials. This means those credentials were already obtained in advance through some other method. The underground marketplace is full of stolen credentials and this is an example of how attackers could make use of such credentials.

"The details and context of this bug definitely read like a solution to a particular problem the Russian state-actors had in a specific instance," Dan Petro, lead researcher at offensive security firm Bishop Fox, tells CSO. "They already had the password (perhaps through social engineering) to the panel and wanted to go further. This doesn't read like an instance of a bug that is being widely exploited out on the open internet."

The vulnerability is rated as Important with a CVSS score of 7.2 out of 10, and Petro agrees with that assessment.

"Requiring authentication to an administrative panel with a high privilege account is not a small barrier," he says. "No default passwords even exist on the panel. Put another way, think of the counterfactual opposite: Imagine if the bug could inject commands without needing the admin password.

"Would this lower the risk? No. If I had found this exact vulnerability on a penetration test, I might have rated it as medium severity. Though admittedly it's sort of on the higher end of medium."

Petro says that organisations should patch this vulnerability, even though other vulnerabilities on purely technical merit have a higher risk. He also feels that since it was used in a targeted attack by nation-state hackers, the intended victims have probably already been contacted by the NSA and have taken incident response action.

A lot of focus is put in the media and even in the security industry on critical vulnerabilities that affect widely used software products, including operating systems, web servers, web frameworks, but this incident shows that well-resourced attackers will find and exploit vulnerabilities in any product if it suits their goals and even if those flaws come with limitations and hurdles. However, according to Petro, defenders should not be discouraged.

"When it comes to remote state-actors, it's easy to get the false impression that they are omnipotent super-hackers because there's a pretty clear sampling bias: We only see their results when they succeed and not when they fail," he says.

"How many times did this team try other avenues of attack that failed before this one? How many other organisations did they try to breach and fail before moving on to this one? Plus, the NSA knew about the attack, so just how successful was it in the end, really? Your security efforts really do matter. Don't fall into the trap of thinking that they don't because of some splashy headlines."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags VMwaresecurity

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments