VMware rolls out security updates to address zero-day bug

The bug could enable an attacker to take control of a vulnerable machine running VMware Workspace One Access and other software

VMware has rolled out security updates to address a zero-day vulnerability that impacts VMware Workspace One Access and other platforms for both Windows and Linux systems.

The bug, indexed as CVE-2020-4006, was publically disclosed last month and VMware warned that it could allow an attacker to take control of a vulnerable system. The company also published workaround instructions to help admins mitigate the flaw on affected systems.

VMware credited the US National Security Agency (NSA) for discovering the bug and reporting it to the company.

CVE-2020-4006 is a command injection bug that exists in the admin configurator of some VMware products and could enable attackers to escalate privileges and run malicious commands on the host Windows and Linux operating systems.

The bug affects VMware Workspace One Access; VMware Workspace One Access Connector; VMware Identity Manager (vIDM); VMware Identity Manager Connector (vIDM Connector); vRealize Suite Lifecycle Manager; and VMware Cloud Foundation.

VMware offers Workspace One as all-in-one platform for application and identity management to enterprises. It runs on both Windows and Linux machines and provides a number of different modules and features to users.

"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," VMware says in its latest advisory.

"This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006. "

VMware had originally given the bug a CVSSv3 severity score of 9.1 out of 10 and a severity rating of "critical". However, it was later found that an attacker looking to exploit the flaw would need valid username/password for the configurator admin account. VMware, therefore, has now revised the bug's CVSSv3 score to 7.2 and also downgraded its severity rating to "important".

There are currently no reports of attackers exploiting the bug in the wild.

VMware is now using admins to review the advisory and apply the necessary updates as soon as possible.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also advised admins and users to apply the patches to prevent attackers from potentially taking over vulnerable systems.