Russian state-sponsored hackers exploit vulnerability in VMware Workspace ONE

The exploit requires the attacker to have valid credentials, but experts advise patching regardless.

A broken link in a digital chaing / weakness / vulnerability
MaxKabakov / Getty Images

The US National Security Agency (NSA) is warning organizations to patch or take mitigation steps to close a vulnerability in several VMware products that Russian state-sponsored hackers are exploiting to hijack authentication tokens and access sensitive data on other systems.

The vulnerability, tracked as CVE-2020-4006, is a command injection flaw in the web administration interface of VMware Workspace One Access, VMware Workspace One Access Connector, VMware Identity Manager (vIDM), VMware Identity Manager Connector, VMware Cloud Foundation and vRealize Suite Lifecycle Manager. By exploiting the flaw, attackers can execute commands on the underlying operating system.

"The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data," the NSA said in its advisory Monday.

VMware vulnerability mitigation 

The NSA reported the vulnerability to VMware, which released patches for the affected products last week. The company also published temporary workarounds that can be manually applied to both Linux and Windows-based deployments. These changes must be reverted before applying the patches later.

One of NSA's recommendations is also to restrict access to the 8443 port, which is used for the administrator interface to only a small set of trusted systems. This interface should also not be exposed directly to the internet.

Detecting exploitation attempts by inspecting network traffic is hard because the vulnerable interface is accessed over encrypted TLS connections, so any actions the attackers take might not be visible to traffic inspection systems. However, artefacts left in the server logs can indicate the system was exploited.

"The presence of an 'exit' statement followed by any three-digit number, such as 'exit 123', within the configurator.log would suggest that exploitation activity may have occurred on the system," the NSA advisory said. "This log can be found at /opt/vmware/horizon/workspace/logs/configurator.log on the server."

Impact and risk

Based on the NSA's description, the attackers used this vulnerability to pivot to other systems and data. However, to gain access to the vulnerable administrative interface they needed valid credentials. This means those credentials were already obtained in advance through some other method. The underground marketplace is full of stolen credentials and this is an example of how attackers could make use of such credentials.

"The details and context of this bug definitely read like a solution to a particular problem the Russian state-actors had in a specific instance," Dan Petro, lead researcher at offensive security firm Bishop Fox, tells CSO. "They already had the password (perhaps through social engineering) to the panel and wanted to go further. This doesn't read like an instance of a bug that is being widely exploited out on the open internet."

The vulnerability is rated as Important with a CVSS score of 7.2 out of 10, and Petro agrees with that assessment. "Requiring authentication to an administrative panel with a high privilege account is not a small barrier," he says. "No default passwords even exist on the panel. Put another way, think of the counterfactual opposite: Imagine if the bug could inject commands without needing the admin password. Would this lower the risk? No. If I had found this exact vulnerability on a penetration test, I might have rated it as medium severity. Though admittedly it's sort of on the higher end of medium."

Petro says that organizations should patch this vulnerability, even though other vulnerabilities on purely technical merit have a higher risk. He also feels that since it was used in a targeted attack by nation-state hackers, the intended victims have probably already been contacted by the NSA and have taken incident response action.

A lot of focus is put in the media and even in the security industry on critical vulnerabilities that affect widely used software products, including operating systems, web servers, web frameworks, but this incident shows that well-resourced attackers will find and exploit vulnerabilities in any product if it suits their goals and even if those flaws come with limitations and hurdles. However, according to Petro, defenders should not be discouraged.

"When it comes to remote state-actors, it's easy to get the false impression that they are omnipotent superhackers because there's a pretty clear sampling bias: We only see their results when they succeed and not when they fail," he says. "How many times did this team try other avenues of attack that failed before this one? How many other organizations did they try to breach and fail before moving on to this one? Plus, the NSA knew about the attack, so just how successful was it in the end, really? Your security efforts really do matter. Don't fall into the trap of thinking that they don't because of some splashy headlines."

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)