[German]VMware, the virtualization vendor, has issued a warning about a critical vulnerability in several Linux and Windows products. A patch is not yet available, only workarounds.
I saw the security warning VMSA-2020-0027, dated Nov. 23, 2020, already on Monday. There is a VMware privately reported Command Injection vulnerability in several products. A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configuration panel administrator account can execute commands with full privileges on the underlying operating system (Linux or Windows).
The vulnerability CVE-2020-4006 can be exploited on both Linux and Windows and is rated CVSSv3 9.1 (max. 10), making it extremely critical. According to VMware it affects the following products:
- VMware Workspace One Access (Access)
- VMware Workspace One Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
Currently there are no updates to fix this vulnerability. However, workarounds are available for the VMware Workspace One Access, VMware Identity Manager and VMware Identity Manager Connector products for Linux and Windows to prevent exploitation of the vulnerability. The workarounds may only be executed on the products and versions listed below.
- Mware Workspace One Access 20.10 (Linux)
- VMware Workspace One Access 20.01 (Linux)
- VMware Identity Manager 3.3.3 (Linux)
- VMware Identity Manager 3.3.2 (Linux)
- VMware Identity Manager 3.3.1 (Linux)
- VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)
- VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)
The disadvantage of the workaround: t shuts down the configuration panel, so that it can no longer be used for an attack. When security updates will be released is currently not yet known.
VMware: Product and security updates (Nov. 2020)
VMware confirms freezes on ESXi 6.5 Update 3 and 6.7 Update 3
VMware fixes critical vulnerarbilities in Workstation and Fusion
Update for VMware OS Optimization Tool (VMware Horizon)
Fix for critical VMWare vCenter Server vulnerability CVE-2020-3952
VMware Security Updates (03/17/2020)
Cookies helps to fund this blog: Cookie settings