VMware sounds alarm over zero-day flaws in multiple products

Temporary workarounds have been released for a critical vulnerability that could allow a hacker to seize control of enterprise systems

VMware has warned its customers about a critical vulnerability present across several of its products, including Workspace One Access and Identity Manager, that could allow cyber criminals to take control of vulnerable machines.

The command injection flaw, tracked as CVE-2020-4006 and rated 9.1 on the CVSS threat severity scale, can be exploited in a host of VMware products, the company has warned. There’s currently no patch available, although the firm has issued a workaround that can be applied in some instances. There’s also no mention as to whether the flaw is being actively exploited in the wild or not.

Hackers armed with network access to the administrative configurator on port 8443 and a valid password to the admin account can exploit the flaw to execute commands with unrestricted privileges on the underlying operating system (OS)

The affected services include VMware Workspace One Access, Workspace One Access Connector, Identity Manager, Identity Manager Connector, Cloud Foundation and vRealize Suite Lifecycle Manager. 

The vulnerability can be exploited in some products hosted on Linux but not on Windows, and either operating system for other products. The full details on which software and OS configurations are affected are outlined on VMware’s security advisory.

Until a patch is released, VMware has outlined a workaround that can be applied to some product lines but not all. Customers using Workspace One Access, VMware Identity Manager, and VMware Identity Manager Connector can follow the detailed steps outlined here, relevant to the configurator hosted on port 8443. This involves running a set of commands for all affected products.  

The workaround isn't compatible with other products beyond those three that may be affected, and customers will have to keep their eyes peeled for any news of a patch as and when one is released. 

News of this command injection vulnerability has arrived only days after VMware confirmed two critical flaws in its ESXi, Workstation, Fusion and Cloud Foundation products.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
£100 contactless payment limit could place shoppers at risk, warn industry experts
Policy & legislation

£100 contactless payment limit could place shoppers at risk, warn industry experts

15 Oct 2021
Hackers used MSHTML exploit a week before patches were ready
zero-day exploit

Hackers used MSHTML exploit a week before patches were ready

14 Oct 2021
Hackers fake DocuSign and offer fraudulent signing methods
document management systems (DMS)

Hackers fake DocuSign and offer fraudulent signing methods

14 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021