The US National Security Agency (NSA) has released a security advisory warning of cyber attacks in which Russian threat actors are exploiting a recently patched vulnerability in VMware Access and VMware Identity Manager products to gain access to sensitive data.
The flaw, tracked as CVE-2020-4006, is a command injection issue that affects several products, including VMware Workspace One Access (Access), VMware Workspace One Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. The vulnerability exists due to improper input validation in the administrative configurator. A remote administrator can pass specially crafted data to the application and execute arbitrary commands on the target system.
VMware initially issued security advisory describing the bug on November 23 and said it was working on the fix. More than a week later, on December 3, the company released patches to address this flaw and revealed that it learned about the issue fr om the NSA.
While VMware did not mention the flaw was under active exploitation in the wild, the NSA is now warning that Russian hackers have been using CVE-2020-4006 in attacks.
“The exploitation via command injection led to installation of a web shell and follow-on malicious activity wh ere credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data,” the agency said. “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources. If integrating authentication servers with ADFS, NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication.”
The NSA has not revealed what hacker groups have been exploiting the flaw, or what targets the attacks have been aimed at.