Russian intelligence services exploit virtual workspace vulnerabilities.
National Security Agency headquarters, Fort Meade, Maryland. NSA photo.
N2K logoDec 7, 2020

Russian intelligence services are exploiting a VMware vulnerability in the wild. NSA strongly recommends applying available patches to virtual workplace products.

Russian intelligence services exploit virtual workspace vulnerabilities.

Russian intelligence services are exploiting a VMware vulnerability in the wild. At 10:00 this morning the Agency warned:

"The National Security Agency (NSA) released a Cybersecurity Advisory today detailing how Russian state-sponsored actors have been exploiting a vulnerability in VMware® products to access protected data on affected systems. This advisory emphasizes the importance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators to apply vendor-provided patches to affected VMware® identity management products and provides further details on how to detect and mitigate compromised networks.

"The products affected by this vulnerability are the VMware® Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector, with specific product versions also identified in the VMware® advisory. The exploitation of this vulnerability first requires that a malicious actor have access to the management interface of the device. This access can allow attackers to forge security assertion markup language (SAML) credentials to send seemingly authentic requests to gain access to protected data.

"NSA strongly recommends that NSS, DoD, and DIB system administrators apply the vendor-issued patch as soon as possible. If a compromise is suspected, check server logs and authentication server configurations as well as applying the product update. In the event that an immediate patch is not possible, system administrators should apply mitigations detailed in the advisory to help reduce risk of exploitation/compromise/attack."

Spies use password-access to exploit the vulnerability.

As is so often the case, password access is required for exploitation. "Exploiting the vulnerability requires authenticated password-based access to the management interface of the device, which is encrypted with TLS," NSA writes, adding "That interface typically runs over port 8443, but it could be over any user-defined port. NSA recommends that NSS, DoD, and DIB network administrators limit the accessibility of the management interface on servers to only a small set of known systems and block it from direct Internet access."

VMware patched CVE-2020-4006.

VMware patched the relevant vulnerability, CVE-2020-4006, last Thursday. The company has also published an extended account of how the command injection problem affects its products and their users. NSA strongly advises patching as soon as possible.

As far as other mitigations are concerned, at least in this case there's no issue of default passwords being left in place for easy hostile access. The server requires that users choose passwords "intentionally" upon installation. Strong passwords are a good idea, of course, and unique passwords resistant to credential stuffing are an even better idea. The other principal mitigation NSA recommends is checking for proper server configuration. "If integrating authentication servers with ADFS," the warning adds, "NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication."