Vulnerability in VMware Products Allows System Compromise
An interim fix has been provided for a critical vulnerability in VMware products.VMware has released an interim fix for a critical vulnerability in its products that could allow attackers to take control of a system.
As stated in the security notice, "an attacker with network access to the administrative configurator on port 8443 and a valid password for the configurator administrator account can run commands on the system with unlimited privileges."
CVE-2020-4006 is a Command Injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. On the CVSS hazard rating scale, the vulnerability scored 9.1 out of a maximum 10.
The vulnerability affects the following products:
- VMware Workspace One Access (versions 20.01 and 20.10 for Linux and Windows)
VMware Workspace One Access Connector (versions 20.10, 20.01.0.0, and 20.01.0.1 for Windows)
VMware Identity Manager (versions 3.3.1, 3.3.2, and 3.3.3 for Linux and Windows)
VMware Identity Manager Connector (versions 3.3.1, 3.3.2 for Linux and 3.3.1, 3.3.2, 3.3.3 for Windows)
VMware Cloud Foundation (version 4.x for Linux and Windows)
vRealize Suite Lifecycle Manager (versions 8.x for Linux and Windows)
Although the released fix is temporary, the release date of the final patch has not yet been specified. It is also unknown if the vulnerability is exploited in real attacks. As VMware clarifies, the interim fix only applies to the Administrative Configurator service hosted on port 8443.
After installing the interim fix, configurator-driven configuration changes will not be possible. If you need to make changes, you must first discard the change, and then apply again after the changes.