Russian state hackers have been exploiting a vulnerability found in VMware products including virtual workspaces, according to a cybersecurity advisory issued today by the National Security Agency.
The VMware vulnerability, which was dubbed CVE-2020-4006 and rated 7.2 on the Common Vulnerability Scoring System (CVSS), was disclosed and patched last week. According to the NSA advisory, threat actors are using the vulnerability to access protected data and abuse federated authentication. Government agencies, including the National Security System (NSS), the Department of Defense (DoD), and Defense Industrial Base (DIB), are urged to apply vendor-provided patches as soon as possible.
The exploited vulnerability affects Windows and Linux operating systems with remote work products, including VMware Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector. According to the advisory, exploitation first requires that a malicious actor have access to the management interface of the device.
“This access can allow attackers to forge security assertion markup language (SAML) credentials to send seemingly authentic requests to gain access to protected data,” the advisory said.
Because password-based access to the web-based management interface of the device is required to exploit the VMware vulnerability, the NSA said using a stronger password lowers the risk of exploitation. “This risk is lowered further if the web-based management interface is not accessible from the internet,” the advisory said.
VMware first published a security advisory for the command injection vulnerability Dec. 3, with credit to the NSA for reporting it. “VMware has evaluated this issue to be of ‘Important’ severity, with a maximum CVSSv3 base score of 7.2,” the advisory said. A patch was available.
In today’s statement about the VMware vulnerability, the NSA advised government organizations to update affected systems to the latest version as soon as possible, according to VMware’s instructions. A workaround is also available but provides only a temporary fix until the system is fully patched. While the alert emphasizes the importance for government agencies to patch and update, it does not mention enterprises.
“NSA does not publicly share details in victims of foreign malicious cyber activity,” wrote Neal Ziring, cybersecurity technical director at the NSA, in an email to SearchSecurity. “Any organization that uses the effected products should take prompt action to apply the vendor-released patch.”
VMware did not respond to a request for comment as of press time.
The NSA alert is the latest warning about advanced persistent threat actors exploiting high-profile vulnerabilities that have been recently disclosed and patched. In October, the Cybersecurity and Infrastructure Security Agency released a statement saying hackers exploited a Netlogon flaw to attack government networks. Prior to the attack, patches had already been released for two of the flaws: Netlogon and a Fortinet VPN vulnerability. Netlogon was a critically rated flaw, rated the maximum CVSS severity of 10, and had already been exploited in the wild, yet it remained unpatched on many systems, leaving it open to threats.