Latest Cyber Security News

You are here: Home / Latest Cyber Security Vulnerabilities / Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending

VMware described it has no patch for a critical escalation-of-privileges bug that impacts each Windows and Linux functioning devices and its Workspace One.

The U.S. Cybersecurity and Infrastructure Security Company is warning of a zero-day bug affecting six VMware goods including its Workspace One, Identity Manager and vRealize Suite Lifecycle Supervisor.

The critical unpatched bug is a command injection vulnerability.

✔ Approved Seller by TheCyberSecurity.News From Our Partners
Avast Premium Security 2021

Protect yourself against all threads using AVAST Premium Security. AVAST Ultimate Suite protects your Windows, macOS and your Android via Avast Premium.

Get AVAST Premium Security with 60% discount from our partner: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


In a individual VMware advisory, the corporation did not suggest whether the vulnerability was underneath lively attack. Tracked as CVE-2020-4006, the bug has a CVSS severity score of 9.1 out of 10. The organization said patches are “forthcoming” and that workarounds “for a short-term alternative to avert exploitation of CVE-2020-4006” are readily available.

“A malicious actor with network entry to the administrative configurator on port 8443 and a legitimate password for the configurator admin account can execute commands with unrestricted privileges on the underlying working procedure,” VMware wrote.

The items impacted by the vulnerability are:

  • VMware Workspace Just one Access (Access)
  • VMware Workspace One Access Connector (Access Connector)
  • VMware Identification Manager (vIDM)
  • VMware Identity Manager Connector (vIDM Connector)
  • VMware Cloud Basis
  • vRealize Suite Lifecycle Manager

A whole of 12 merchandise versions are impacted.

Workarounds outlined by VMware are “meant to be a temporary remedy only, and customers are recommended to follow VMSA-2020-0027 to be alerted when patches are accessible,” wrote the corporation.

Versions impacted include things like:

  • VMware Workspace Just one Access    20.10 (Linux)
  • VMware Workspace A person Access    20.01 (Linux)
  • VMware Identification Manager    3.3.3 (Linux)
  • VMware Identification Manager    3.3.2 (Linux)
  • VMware Id Manager    3.3.1 (Linux)
  • VMware Id Supervisor Connector 3.3.2, 3.3.1 (Linux)
  • VMware Id Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)

The workaround tradeoff, the moment applied, is that in every of the VMware services, configurator-managed environment improvements will not be attainable even though the workaround is in place.

“If alterations are necessary remember to revert the workaround subsequent the guidelines … make the essential modifications and disable all over again until eventually patches are readily available. In addition, most of the process diagnostics dashboard will not be displayed,” VMware described.


Some sections of this report are sourced from:
threatpost.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *