NSA Advisory Indicates Russian Threat Actors are Exploiting VMWare Vulnerability

Executive Summary

The U.S. National Security Agency Central Security Service (NSA CSS) issued a cybersecurity advisory on December 7, 2020 in relation to the exploitation of a VMWare vulnerability identified as CVE-2020-4006, a command injection flaw. According to the NSA CSS advisory, unnamed Russian state-sponsored threat activity groups have been exploiting this vulnerability. VMWare indicates, in order for a threat group to take advantage of this vulnerability, it would be necessary for an attacker to have “network access to the administrative configurator on port 8443 and a valid password for the configurator admin account.” VMWare goes on to state that once the threat actor has gained access it is possible to “execute commands with unrestricted privileges on the underlying operating system.” The advisory specifically indicated that “access can allow attackers to forge security assertion markup language (SAML) credentials to send seemingly authentic requests to gain access to protected data.”

After successful exploitation, the threat actor uploads a web shell, which is “a persistent interface for running server commands”. According to the original NSA report, this is done with the end goal of accessing Microsoft’s Active Directory Federation Services (ADFS), giving the attacker access to privileged and otherwise protected information to the targeted organization, if ADFS exists on the network.

The products and versions impacted by this vulnerability are as follows:

VMware Access® 20.01 and 20.10 on Linux®
VMware vIDM® 3.3.1, 3.3.2, and 3.3.3 on Linux
VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
VMware Cloud Foundation® 4.x
VMware vRealize Suite Lifecycle Manager® 8.x

VMWare initially issued an advisory for this vulnerability on November 23, 2020 and released a patch for the affected products on December 5, 2020. In addition to patching, the NSA CSS advisory and VMWare provided workarounds, detection, and further guidance in order to protect against active exploitation of this vulnerability.

The VMWare Security Advisory with patching and workarounds can be found here: https://www.vmware.com/security/advisories/VMSA-2020-0027.html

Even though successful exploitation of this vulnerability requires access from the open internet, as well as advanced knowledge (or successful attempt at guessing) the administrator password for the affected VM products, this vulnerability is considered significant.

According to the detection information within the original NSA CSS report, “The presence of an ‘exit’ statement followed by any 3-digit number, such as ‘exit 123’, within the configurator.log (found on Linux-based systems at /opt/vmware/horizon/workspace/logs/configurator.log) would suggest that exploitation activity may have occurred on the system.”

Recommendations

Apply the VMware provided patch or utilize workarounds as soon as possible in your environment for any of the above listed products.
The security advisory from VMware with patching and workarounds can be found here: https://www.vmware.com/security/advisories/VMSA-2020-0027.html