Threat Brief: VMware Command Injection Vulnerability (CVE-2020-4006)

This post is also available in: 日本語 (Japanese)

Executive Summary

On Dec. 7, 2020, the National Security Agency (NSA) published a cybersecurity advisory indicating they observed Russian state-sponsored actors exploiting a VMware command injection vulnerability (CVE-2020-4006). VMware issued a patch for the vulnerability on Dec. 3, 2020. The vulnerability affects the following VMware products:

• VMware Access®3 20.01 and 20.10 on Linux®4
• VMware vIDM®5 3.3.1, 3.3.2 and 3.3.3 on Linux
• VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
• VMware Cloud Foundation®6 4.x
• VMware vRealize Suite Lifecycle Manager®7 8.x

The vulnerability requires network access to the administrative configurator on port 8443 (though this can be configured to be any port) and a valid password for the configurator admin account. If these conditions exist, a malicious actor could execute commands with unrestricted privileges on the underlying operating system.

Mitigation Actions

First and foremost, patch the vulnerable software if at all possible. If, for some reason, the vulnerable software cannot be patched, then refer to the following workarounds:

Warning:

This workaround is applicable ONLY to VMware Workspace ONE Access, VMware Identity Manager and VMware Identity Manager Connector. Do not apply this workaround to other VMware products.

To implement the workaround for CVE-2020-4006, perform the following steps below. Please note the operating system.

1. Implement workaround for Linux-based appliances:

1. 1. 1. Use SSH to connect to appliance using “sshuser” credentials configured during installation or updated later.
      2. Switch to root by typing su and provide “root” credentials configured during installation or updated later.
      3. Run the following commands:

cd /opt/vmware/horizon//workspace
mkdir webapps.tmp
mv webapps/cfg webapps.tmp
mv conf/Catalina/localhost/cfg.xml webapps.tmp
service horizon-workspace restart

      Repeat steps for all Linux-based appliances affected by CVE-2020-4006.

2. Implement workaround for Windows-based servers:

1. 1. 1. Log in as Administrator.
      2. Open a Command Prompt window and run the following commands:

Net stop “VMwareIDMConnector”
cd \VMware\VMwareIdentityManager\Connector\opt\vmware\horizon\workspace
mkdir webappstmp
move webapps\cfg webappstmp
move conf\Catalina\localhost\cfg.xml webappstmp
net start “VMwareIDMConnector”

     Repeat steps for all Windows-based servers affected by CVE-2020-4006.

To remove the workaround for CVE-2020-4006, perform the following steps:

1. Revert workaround for Linux-based appliances.

1. 1. 1. Use SSH to connect to appliance using “sshuser” credentials configured during installation or updated later.
      2. Switch to root by typing su and provide “root” credentials configured during installation or updated later.
      3. Run the following commands:

cd /opt/vmware/horizon/workspace
mv webapps.tmp/cfg webapps
mv webapps.tmp/cfg.xml conf/Catalina/localhost
rmdir webapps.tmp
service horizon-workspace restart

     Repeat steps for all Linux-based appliances affected by CVE-2020-4006.

2. Revert workaround for Windows-based servers

1. 1. 1. Log in as Administrator.
      2. Open a Command Prompt window and run the following commands:

net stop "VMwareIDMConnector"
cd \VMware\VMwareIdentityManager\Connector\opt\vmware\horizon\workspace
move webappstmp\cfg webapps
move webappstmp\cfg.xml conf\Catalina\localhost
rmdir webappstmp
net start "VMwareIDMConnector"

      Repeat steps for all Windows-based servers affected by CVE-2020-4006.

Conclusion

Palo Alto Networks is continuing efforts to identify a proof of concept (PoC) or other relevant information that would allow specific coverage for exploitation of this vulnerability. Due to the lack of specific attack details related to exploitation, Palo Alto Networks highly recommends patching your vulnerable software when possible and/or implementing the workaround provided by VMWare. This blog will be updated when more information becomes available.