On Thursday, VMware released patches for a Workspace ONE Access security bug that the National Security Agency found and published (NSA).
Workspace ONE Access, previously VMware Identity Manager, provides multi-factor authentication, single sign-on, and conditional access capabilities for SaaS, smartphone and web applications.
The newly identified weakness, monitored as CVE-2020-4006, has been downgraded from critical to severe severity (its CVSS score fell from 9.1 to 7.2), since VMware discovered that valid passwords for the configurator admin account are needed for an intruder looking to exploit the bug.
VMware did not originally have details on who found the protection flaw, but an update it released this week to its warning, in combination with the publication of updates, confirmed it was detected by the NSA. Workaround guidelines for the problem were also released by VMware.
Commands may be executed on a compromised machine by an opponent willing to exploit the weakness.
In its advisory, VMware states, “A malicious actor with network access to the administrative configurator on port 8443 and a valid configurator admin account password may execute commands with unrestricted privileges on the underlying operating system.”
The business further emphasises that the admin account of the configurator is internal to the affected goods and that a password is set at deployment for it. For a good attack the attacker requires the password.
Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, Cloud Base, and vRealize Suite Lifecycle Manager have been found to be impaired by the command injection bug. For the infected goods, updates have been released for both Linux and Windows.
