9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.478 Medium
EPSS
Percentile
97.1%
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.
Following speculation that CVE-2020-4006 might be related to the SolarWinds supply chain hack that led to the compromise of U.S. government agencies and global organizations, VMware said on December 22, 2020 that they have no indication they have any involvement on the nation-state attack on SolarWinds.
Recent assessments:
ccondon-r7 at December 10, 2020 7:54pm UTC reported:
Iāve seen some news headlines with very scary-sounding words (āransacking networks!ā) on this, which is dismaying. Itās completely understandable that folks would be alarmed by a zero-day (now patched), but when we get into the details of this one a bit, I would tend to doubt that itās going to be a good candidate for mass exploitation (note that Iām not telling anyone not to patch, just that headlines arenāt always reality!).
Even before getting into the weeds a little more, we can see from the CVSSv3 metrics that this requires high-privileged access and carries a 7.2 severity rating. Iāve watched researchers prove severity ratings wrong in the past, to be sure, but looking at the advisory, we can see that any attempt at exploitation would require an attacker to have access to the admin configurator on port 8443, plus admin credentials for the configurator account. If you have that level of access as an attacker, you can do all sorts of nefarious things with it, but those requirements donāt lend themselves to easy exploitation. Itās a good one to patch, but it also sounds like this is another case where strong password policies (especially for admin accounts!) would go a long way toward mitigating the risk of vulns both known and unknown. Ensuring that management interfaces are not exposed to the internet is another good move!
The NSA reported this vulnerability to VMware directly as a zero-day, which likely means they were seeing a specific threat actor deploy it in targeted intelligence operations. We havenāt seen any other reports of exploitation yet. From reading the docs, it looks like admins are required to change the password upon configuration, so the tried and true combo of admin:admin
shouldnāt be possible.
wvu-r7 at May 10, 2021 10:28pm UTC reported:
Iāve seen some news headlines with very scary-sounding words (āransacking networks!ā) on this, which is dismaying. Itās completely understandable that folks would be alarmed by a zero-day (now patched), but when we get into the details of this one a bit, I would tend to doubt that itās going to be a good candidate for mass exploitation (note that Iām not telling anyone not to patch, just that headlines arenāt always reality!).
Even before getting into the weeds a little more, we can see from the CVSSv3 metrics that this requires high-privileged access and carries a 7.2 severity rating. Iāve watched researchers prove severity ratings wrong in the past, to be sure, but looking at the advisory, we can see that any attempt at exploitation would require an attacker to have access to the admin configurator on port 8443, plus admin credentials for the configurator account. If you have that level of access as an attacker, you can do all sorts of nefarious things with it, but those requirements donāt lend themselves to easy exploitation. Itās a good one to patch, but it also sounds like this is another case where strong password policies (especially for admin accounts!) would go a long way toward mitigating the risk of vulns both known and unknown. Ensuring that management interfaces are not exposed to the internet is another good move!
The NSA reported this vulnerability to VMware directly as a zero-day, which likely means they were seeing a specific threat actor deploy it in targeted intelligence operations. We havenāt seen any other reports of exploitation yet. From reading the docs, it looks like admins are required to change the password upon configuration, so the tried and true combo of admin:admin
shouldnāt be possible.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 2
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.478 Medium
EPSS
Percentile
97.1%