VMware has disclosed a critical command-injection vulnerability in several of its core products that can be used by an attacker with network access to essentially run arbitrary commands on the host operating system.
The bug affects Workspace One Acces, Access Connector, Identity Manager, and Identity Manager Connector, mainly running on Linux, but some Windows versions are affected as well. VMware does not have a patch available for the vulnerability (CVE-2020-4006), but has published a set of workarounds that limit the effects of the vulnerability. Although the flaw is considered critical, there are some mitigating factors that make exploitation somewhat more difficult, including the need for a valid password for the target account.
“VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector contain a Command Injection Vulnerability in the administrative configurator,” the advisory says.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system.”
Workspace One is VMware’s all-in-one platform for application and identity management for enterprises. It runs on both Linux and Windows and includes a number of different modules and features. The command-injection vulnerability affects Access, Access Connector, and Identity Manager on Linux, andIdentity Manager Connector on both Windows and Linux. The workaround that VMware suggests requires a small configuration change to the appliance.
VMware did not provide an estimated date for the release of a patch for the vulnerability, so given the public knowledge of the details, implementing the workaround is key for enterprises running affected versions of the products.