Serafim
Advanced
- Joined
- 28.09.20
- Messages
- 130
- Reaction score
- 1,196
- Points
- 93
VMware has released a temporary fix for a critical vulnerability in its products that allows attackers to take control of the system.
As reported in the security notice, " an attacker with network access to the administrative Configurator via port 8443 and a valid password for the administrator account of the Configurator can run commands with unlimited privileges on the system."
CVE-2020-4006 is a command injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. On the CVSS hazard rating scale, the vulnerability received 9.1 points out of the maximum 10.
The vulnerability affects the following products:
VMware Workspace One Access (versions 20.01 and 20.10 for Linux and Windows);
VMware Workspace One Access Connector (versions 20.10, 20.01.0.0, and 20.01.0.1 for Windows);
VMware Identity Manager (versions 3.3.1, 3.3.2, and 3.3.3 for Linux and Windows);
VMware Identity Manager Connector (versions 3.3.1, 3.3.2 for Linux and 3.3.1, 3.3.2, 3.3.3 for Windows);
VMware Cloud Foundation (versions 4. x for Linux and Windows);
vRealize Suite Lifecycle Manager (versions 8.x for Linux and Windows).
Although the released patch is temporary, the release date of the final patch is not yet specified. It is also unknown whether the vulnerability is exploited in real attacks. As specified by VMware, the temporary fix only applies to the administrative Configurator service hosted on port 8443.
After the temporary fix is installed, configuration changes that are managed by the Configurator will not be possible. If you need to make changes, you must first undo the fix, and then apply it again after the changes.
As reported in the security notice, " an attacker with network access to the administrative Configurator via port 8443 and a valid password for the administrator account of the Configurator can run commands with unlimited privileges on the system."
CVE-2020-4006 is a command injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. On the CVSS hazard rating scale, the vulnerability received 9.1 points out of the maximum 10.
The vulnerability affects the following products:
VMware Workspace One Access (versions 20.01 and 20.10 for Linux and Windows);
VMware Workspace One Access Connector (versions 20.10, 20.01.0.0, and 20.01.0.1 for Windows);
VMware Identity Manager (versions 3.3.1, 3.3.2, and 3.3.3 for Linux and Windows);
VMware Identity Manager Connector (versions 3.3.1, 3.3.2 for Linux and 3.3.1, 3.3.2, 3.3.3 for Windows);
VMware Cloud Foundation (versions 4. x for Linux and Windows);
vRealize Suite Lifecycle Manager (versions 8.x for Linux and Windows).
Although the released patch is temporary, the release date of the final patch is not yet specified. It is also unknown whether the vulnerability is exploited in real attacks. As specified by VMware, the temporary fix only applies to the administrative Configurator service hosted on port 8443.
After the temporary fix is installed, configuration changes that are managed by the Configurator will not be possible. If you need to make changes, you must first undo the fix, and then apply it again after the changes.