NSA warns of Russian state-sponsored hackers exploiting VMWare vulnerability

Russian hackers are using a VMWare bug to plant web shells inside hacked networks and pivot to Microsoft ADFS servers from where they steal sensitive data.
Written by Catalin Cimpanu, Contributor
Image: Tanguy Keryhuel, Mark Basarab, ZDNet

The US National Security Agency has published a security alert today urging companies to update VMWare products for a vulnerability that is currently exploited by "Russian state-sponsored malicious cyber actors."

The vulnerability tracked as CVE-2020-4006, impacts VMWare endpoint and identity management products, often deployed in enterprise and government networks.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

The affected products, listed below, allow system administrators to manage large fleets of virtualized workstations, their authentication procedures, and the apps installed on each VM.

  • VMware Workspace ONE Access (Access) 20.01 and 20.10on Linux
  • VMware Workspace ONE Access Connector (Access Connector)
  • VMware Identity Manager (vIDM) 3.3.1, 3.3.2, and 3.3.3on Linux
  • VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3, 19.03
  • VMware Cloud Foundation 4.x
  • vRealize Suite Lifecycle Manager 8.x

VMWare warned customers last month, on November 23, that these products contained a major security bug and published mitigations and workarounds to prevent attacks.

On Friday, VMWare released official patches and credited NSA analysts for reporting the issue to its security team.

The NSA has also issued its own security alert, urging government organizations to patch their VMWare products amid ongoing attacks from Russian hackers.

"This advisory emphasizes the importance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators to apply vendor-provided patches to affected VMware identity management products," the NSA said in a press release.

How CVE-2020-4006 works

At its core, CVE-2020-4006 is a basic "command injection" vulnerability that allows attackers to execute OS-level commands.

The vulnerability is not extremely dangerous because it can only be exploited after an attacker has authenticated on a WorkspaceONE web-based dashboard.

But if an attacker is in possession of valid credentials, the vulnerability can be used to take full control over any unpatched VMWare Workspace ONE system.

Image: NSA

The VMWare Workspace ONE web-based dashboard is typically used by system administrators to manage the settings of their virtualized workstations.

In most cases, the dashboard is available only via internal networks, but the dashboard can also be hosted over the internet in case administrators need to access their enterprise management tools from home, or if they need to manage networks in remote work points.

Many system administrators might play down this vulnerability because attackers first need access to valid Workspace ONE credentials, and then they need access to the web dashboard itself, which in some cases might be available only on internal networks (intranets).

However, things are never this simple.

"An attacker can achieve these prerequisites by using varieties of methods such as gathering credentials via Phishing, purchasing credentials from third-party sites, or by brute forcing credentials," Mark Arena, CEO of cyber-security firm Intel 471, told ZDNet.

"Intel 471 considers this a medium risk issue due to the possibility of arbitrary command execution on the underlying operating systems with unrestricted privileges offset by the required authentication and adjacent network access," Arena added.

Russian hackers planting web shells, pivoting to other systems

But despite these requirements, the NSA said it is aware of instances where Russian state-sponsored hackers have managed to obtain credentials for the VMWare Workspace ONE web panel and have integrated this bug into their attacks and used it to pivot laterally inside networks and escalate the access they had to a hacked organization.

According to the NSA, in the attacks was aware, the hackers installed a web shell on the VMWare Workspace ONE system and then generated SAML credentials for themselves.

The hackers then used the SAML credentials to access and steal sensitive data from the victim company's Microsoft ADFS (Active Directory Federation Services) servers.

The NSA did not name which of the many Russian state-sponsored groups has been abusing this VMWare bug but warned organizations not to take CVE-2020-4006 lightly.

"NSA strongly recommends that NSS, DoD, and DIB system administrators apply the vendor-issued patch as soon as possible," the agency said.

Contacted for comment, VMWare also urged customers to apply the patches released on Friday.

Image: NSA

The world's most famous and dangerous APT (state-developed) malware

Editorial standards