How to fix the VMware Workspace One vulnerability
We are in the business of helping infosec and IT teams get fix done through vulnerability remediation orchestration. We go beyond simple vulnerability scanning and prioritization to help IT security professionals quickly find the best remedies for the vulnerabilities that need to be addressed in their environments. This blog post takes remediation intelligence available for free from Remedy Cloud to help you learn how to fix the VMware Workspace One vulnerability.
Vulcan Remedy Cloud is the world’s largest database of remedies and fixes for thousands of cyber security vulnerabilities. It is open and easily searchable, and chances are if the VMware Workspace One vulnerability, CVE-202-4006, doesn’t apply to you there are other curated remedies in Remedy Cloud that will save you time. When it comes to getting fix done, everybody knows time is of the essence.
What is the VMware Workspace One vulnerability?
CVE-2020-4006 is a command injection vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. The vulnerability was reported by the National Security Agency and published by VMware in the National Vulnerability Database (NVD) on November 23, 2020. If you run any of these VMware products the clock on the time-to-exploit window is ticking.
Does CVE-2020-4006 affect me?
If you are using VMware Workspace One or any of the impacted VMware products noted above, including the VMware Cloud Foundation or vRealize Suite Lifecycle Manager suites, CVE-2020-4006 is a critical vulnerability that requires immediate attention.
The vulnerability’s NIST-calculated CVSS score is 9.1 because it has an easily-accessible attack vector (network), low attack complexity, no required user interaction, and high potential impact on confidentiality, integrity, and availability. The one risk-mitigating factor is that a malicious actor would have to implement a method for acquiring a valid password for the configurator admin account in order to exploit the vulnerability.
Has CVE-2020-4006 been actively exploited in the wild?
The National Security Agency, reported that Russian-state threat actors are actively exploiting the vulnerability in order to steal protected data and abuse shared authentication systems. The products most targeted for were VMware Workspace One Access and the Identity Manager products.
How do I remediate the VMware Workspace One vulnerability?
Remedy Cloud provides three curated remedies for CVE-2020-4006, two of which are workarounds and the third being a version update. Here are the specific remedies
- Temporarily disable the configurator hosted on port 8443 on Linux-based appliances: Published on the same date as the vulnerability, this workaround needs to be carried out on each Linux-based appliance that uses VMware Workspace One Access, VMware Identity Manager, or VMware Identity Manager Connector.
- Same as the first workaround, but for Windows-based servers. It should be noted that both of these workarounds also provide revert instructions should it be necessary to reconnect the configurator.
- Deploy the VMware patch published on December 8, 2020 which first requires reverting workaround 1 or 2.
Make sure to bookmark Remedy Cloud as your vulnerability fix cheat sheet. If you’d like to see the rest of the Vulcan Cyber vulnerability remediation orchestration platform in action please request a demo or get a free trial of the full platform.