Voyager18 (research)

Fix the VMware Workspace One Vulnerability, CVE 2020 4006

Learn how to use Remedy Cloud remediation intelligence to fix the VMware Workspace One vulnerability.

Rhett | February 16, 2021

We are in the business of helping infosec and IT teams get fix done through vulnerability remediation orchestration. We go beyond simple vulnerability scanning and prioritization to help IT security professionals quickly find the best remedies for the vulnerabilities that need to be addressed in their environments. This blog post takes remediation intelligence available for free from Remedy Cloud to help you learn how to fix the VMware Workspace One vulnerability.

Vulcan Remedy Cloud is the world’s largest database of remedies and fixes for thousands of cyber security vulnerabilities. It is open and easily searchable, and chances are if the VMware Workspace One vulnerability, CVE-202-4006, doesn’t apply to you there are other curated remedies in Remedy Cloud that will save you time. When it comes to getting fix done, everybody knows time is of the essence.

What is the VMware Workspace One vulnerability?VMware Workspace One

CVE-2020-4006 is a command injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. The vulnerability was reported by the National Security Agency and published by VMware in the National Vulnerability Database (NVD) on November 23, 2020. If you run any of these VMware products the clock on the time-to-exploit window is ticking.

Does CVE-2020-4006 affect me?

If you are using VMware Workspace One or any of the impacted VMware products noted above, including the VMware Cloud Foundation or vRealize Suite Lifecycle Manager suites, CVE-2020-4006 is a critical vulnerability that requires immediate attention.

The vulnerability’s NIST-calculated CVSS score is 9.1 because it has an easily-accessible attack vector (network), low attack complexity, no required user interaction, and high potential impact on confidentiality, integrity, and availability. The one risk-mitigating factor is that a malicious actor would have to implement a method for acquiring a valid password for the configurator admin account in order to exploit the vulnerability.

Has CVE-2020-4006 been actively exploited in the wild?

The National Security Agency, reported that Russian-state threat actors are actively exploiting the vulnerability in order to steal protected data and abuse shared authentication systems. The products most targeted for were VMware Workspace One Access and the Identity Manager products.

How do I remediate the VMware Workspace One vulnerability?

Remedy Cloud provides three curated remedies for CVE-2020-4006, two of which are workarounds and the third being a version update. Here are the specific remedies

  1. Temporarily disable the configurator hosted on port 8443 on Linux-based appliances: Published on the same date as the vulnerability, this workaround needs to be carried out on each Linux-based appliance that uses VMware Workspace One Access, VMware Identity Manager, or VMware Identity Manager Connector.
  2. Same as the first workaround, but for Windows-based servers. It should be noted that both of these workarounds also provide revert instructions should it be necessary to reconnect the configurator.
  3. Deploy the VMware patch published on December 8, 2020 which first requires reverting workaround 1 or 2.

Make sure to bookmark Remedy Cloud as your vulnerability fix cheat sheet. If you’d like to see the rest of the Vulcan Cyber vulnerability remediation orchestration platform in action please request a demo or get a free trial of the full platform.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy