VMware sounds alarm over zero-day flaws in multiple products

Temporary workarounds have been released for a critical vulnerability that could allow a hacker to seize control of enterprise systems

VMware has warned its customers about a critical vulnerability present across several of its products, including Workspace One Access and Identity Manager, that could allow cyber criminals to take control of vulnerable machines.

The command injection flaw, tracked as CVE-2020-4006 and rated 9.1 on the CVSS threat severity scale, can be exploited in a host of VMware products, the company has warned. There’s currently no patch available, although the firm has issued a workaround that can be applied in some instances. There’s also no mention as to whether the flaw is being actively exploited in the wild or not.

Hackers armed with network access to the administrative configurator on port 8443 and a valid password to the admin account can exploit the flaw to execute commands with unrestricted privileges on the underlying operating system (OS)

The affected services include VMware Workspace One Access, Workspace One Access Connector, Identity Manager, Identity Manager Connector, Cloud Foundation and vRealize Suite Lifecycle Manager. 

The vulnerability can be exploited in some products hosted on Linux but not on Windows, and either operating system for other products. The full details on which software and OS configurations are affected are outlined on VMware’s security advisory.

Until a patch is released, VMware has outlined a workaround that can be applied to some product lines but not all. Customers using Workspace One Access, VMware Identity Manager, and VMware Identity Manager Connector can follow the detailed steps outlined here, relevant to the configurator hosted on port 8443. This involves running a set of commands for all affected products.  

The workaround isn't compatible with other products beyond those three that may be affected, and customers will have to keep their eyes peeled for any news of a patch as and when one is released. 

News of this command injection vulnerability has arrived only days after VMware confirmed two critical flaws in its ESXi, Workstation, Fusion and Cloud Foundation products.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
BEC scammers are using Google Forms to identify easy victims
phishing

BEC scammers are using Google Forms to identify easy victims

21 Jan 2021

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021