VMware described it has no patch for a critical escalation-of-privileges bug that impacts each Windows and Linux functioning devices and its Workspace One.
The U.S. Cybersecurity and Infrastructure Security Company is warning of a zero-day bug affecting six VMware goods including its Workspace One, Identity Manager and vRealize Suite Lifecycle Supervisor.
The critical unpatched bug is a command injection vulnerability.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
In a individual VMware advisory, the corporation did not suggest whether the vulnerability was underneath lively attack. Tracked as CVE-2020-4006, the bug has a CVSS severity score of 9.1 out of 10. The organization said patches are “forthcoming” and that workarounds “for a short-term alternative to avert exploitation of CVE-2020-4006” are readily available.
“A malicious actor with network entry to the administrative configurator on port 8443 and a legitimate password for the configurator admin account can execute commands with unrestricted privileges on the underlying working procedure,” VMware wrote.
The items impacted by the vulnerability are:
- VMware Workspace Just one Access (Access)
- VMware Workspace One Access Connector (Access Connector)
- VMware Identification Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware Cloud Basis
- vRealize Suite Lifecycle Manager
A whole of 12 merchandise versions are impacted.
Workarounds outlined by VMware are “meant to be a temporary remedy only, and customers are recommended to follow VMSA-2020-0027 to be alerted when patches are accessible,” wrote the corporation.
Versions impacted include things like:
- VMware Workspace Just one Access 20.10 (Linux)
- VMware Workspace A person Access 20.01 (Linux)
- VMware Identification Manager 3.3.3 (Linux)
- VMware Identification Manager 3.3.2 (Linux)
- VMware Id Manager 3.3.1 (Linux)
- VMware Id Supervisor Connector 3.3.2, 3.3.1 (Linux)
- VMware Id Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)
The workaround tradeoff, the moment applied, is that in every of the VMware services, configurator-managed environment improvements will not be attainable even though the workaround is in place.
“If alterations are necessary remember to revert the workaround subsequent the guidelines … make the essential modifications and disable all over again until eventually patches are readily available. In addition, most of the process diagnostics dashboard will not be displayed,” VMware described.
Some sections of this report are sourced from:
threatpost.com