NSA Urges Orgs Patch Vulnerability Following Russian Exploitation
Attackers have been actively exploiting a recently uncovered command injection bug in VMware products to access protected data.
Administrators in charge of systems that run VMware products are being urged to verify they've been updated to mitigate a vulnerability that's reportedly being exploited by Russian state-sponsored attackers.
The National Security Agency warned about the vulnerability – a command injection vulnerability - exists in VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector, in a cybersecurity advisory (.PDF) on Monday.
The software is largely used for identity and access management; it supports multi-factor authentication, conditional access and single sign-on to SaaS, as well as web and native mobile apps.
The news is further proof that some of the most depended on software these days - platforms that help facilitate remote work - remain an appealing target for attackers.
The vulnerability (CVE-2020-4006) – which was discovered by the NSA two weeks ago - was patched on December 3 by VMware. The Cybersecurity and Infrastructure Security Agency (CISA) warned about the vulnerability that day and pointed to VMware's patches but didn't give any details on the vulnerability outside of the fact that an attacker could exploit it to take control of an affected system.
If your organization uses vulnerable VMware Access or Identity Manager versions, or if your customer or partner networks use any of the affected products, you'll want to take action.
In its advisory, the agency confirmed the vulnerability exists in the following versions of products:
- VMware Access® 20.01 and 20.10on Linux®4
- VMware vIDM®53.3.1, 3.3.2, and 3.3.3on Linux
- VMware vIDM Connector3.3.1, 3.3.2, 3.3.3, 19.03
- VMware Cloud Foundation®64.x
- VMware vRealize Suite Lifecycle Manager®78.x
According to the agency, an attacker would have to already have password-based access to the management interface of a device in order to carry out an attack. Specifically, the vulnerability can lead to the installation of a web shell. Afterwards, by exploiting the vulnerability, they'd be able to forge SAML or security assertion markup language credentials to send fraudulent requests to Microsoft Active Directory Federal Services (ADFS) to gain access to data.
“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources,” the NSA warned. “If integrating authentication servers with ADFS, NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication.”
The NSA declined to provide any information on the attackers aside from the fact they were Russian state-sponsored; it also declined to disclose information around when the attacks may have started or who the victims may have been..
The NSA is however strongly encouraging those in charge of National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) systems to apply the correct patches if they haven't already.
Of course, in the event administrators can't patch - due to time constraints or because they're already juggling previous patches - they should follow mitigations laid out by VMware. There are workarounds for both Linux-based appliances and Windows-based servers in VMware's Knowledge Base article about the vulnerability; they're also listed in the NSA's advisory.
For admins reviewing logs, the NSA points out that the presence of an “exit” statement followed by any 3-digit number, like “exit 123”, within the configurator.log (viewable at /opt/vmware/horizon/workspace/logs/configurator.log) could suggest that exploitation activity may have occurred on the system.
While it may not be the same group, two other US government entities, the Federal Bureau of Investigation (FBI) and the CISA warned in October that Russian hackers were targeting U.S. government targets. The groups warned at the time that the Energetic Bear APT group was using admin credentials to break into networks, locate high value assets and exfiltrate data belonging to U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks.
NSA image via Marco Verch's Flickr photostream, Creative Commons