VMware has warned its customers about a critical vulnerability present across several of its products, including Workspace One Access and Identity Manager, that could allow cyber criminals to take control of vulnerable machines.
The command injection flaw, tracked as CVE-2020-4006 and rated 9.1 on the CVSS threat severity scale, can be exploited in a host of VMware products, the company has warned. There’s currently no patch available, although the firm has issued a workaround that can be applied in some instances. There’s also no mention as to whether the flaw is being actively exploited in the wild or not.
Hackers armed with network access to the administrative configurator on port 8443 and a valid password to the admin account can exploit the flaw to execute commands with unrestricted privileges on the underlying operating system (OS).
The affected services include VMware Workspace One Access, Workspace One Access Connector, Identity Manager, Identity Manager Connector, Cloud Foundation and vRealize Suite Lifecycle Manager.
The vulnerability can be exploited in some products hosted on Linux but not on Windows, and either operating system for other products. The full details on which software and OS configurations are affected are outlined on VMware’s security advisory.
Until a patch is released, VMware has outlined a workaround that can be applied to some product lines but not all. Customers using Workspace One Access, VMware Identity Manager, and VMware Identity Manager Connector can follow the detailed steps outlined here, relevant to the configurator hosted on port 8443. This involves running a set of commands for all affected products.
The workaround isn't compatible with other products beyond those three that may be affected, and customers will have to keep their eyes peeled for any news of a patch as and when one is released.
News of this command injection vulnerability has arrived only days after VMware confirmed two critical flaws in its ESXi, Workstation, Fusion and Cloud Foundation products.
-
Netgear WBE710 reviewReviews The compact WBE710 delivers great cloud management features and a good turn of Wi-Fi 7 speed – but it does have a premium price tag
-
Businesses are taking their eye off the ball with vulnerability patchingNews Security leaders are overconfident in their organization’s security posture while allowing vulnerability patching to fall by the wayside.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
The threat prevention buyer's guideWhitepaper Find the best advanced and file-based threat protection solution for you
