Corporate Products Affected Due to Unpatched VMware Flaw

VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system. Any malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system.

The attack is tracked as the command injection vulnerability which impacts VMware Workspace One Access, Access Connector, Identity Manager, Identity Manager Connector, etc. The bug has a CVSS severity rating of 9.1 out of 10 and the severity of the attack is high.

CVE-ID: CVE-2020-4006

Command Injection:

These are a type of payload that the hacker injects which then gets executed as an operating system command. A hacker executes a temporary operating system command on the applications’ server resulting in the risk of the application and data being compromised. OS command injection vulnerabilities are often used as a stepping stool by hackers.

Most of the programming languages like Python, Ruby, Perl, Java, C, PHP enable users to call a system shell command. This makes them vulnerable to OS Command Injections. The injected temporary command execution depends on the privileges of the webserver, so command injection vulnerabilities aren’t that dangerous on their own. But a hacker can exploit privilege escalation and access more information. With that information, more vulnerabilities can be found and exploited.

VMware products affected:

  • VMware Workspace One Access (versions 20.01 and 20.10 for Linux and Windows)
  • VMware Workspace One Access Connector (versions 20.10, 20.01.0.0, and 20.01.0.1 for Windows)
  • VMware Identity Manager (versions 3.3.1, 3.3.2, and 3.3.3 for Linux and Windows)
  • VMware Identity Manager Connector (versions 3.3.1, 3.3.2 for Linux and 3.3.1, 3.3.2, 3.3.3 for Windows)
  • VMware Cloud Foundation (versions 4.x for Linux and Windows)
  • vRealize Suite Lifecycle Manager (versions 8.x for Linux and Windows)

Remediation:

  • Validate the input contains only alphanumeric characters, no other syntax or whitespace.
  • All user-controllable input should be validated and filtered for potentially unwanted characters. Using an allow list for input is desired, but if use of a deny list approach is necessary, then focusing on command related terms and delimiters is necessary.
  • Input should be encoded prior to use in commands to make sure command related characters are not treated as part of the command. For example, quotation characters may need to be encoded so that the application does not treat the quotation as a delimiter.

Input should be parameterized, or restricted to data sections of a command, thus removing the chance that the input will be treated as part of the command itself.