Lucene search

K
thnThe Hacker NewsTHN:2E67A9601D631B7905DA9FA7D2923108
HistoryDec 08, 2020 - 5:44 a.m.

NSA Warns Russian Hacker Exploiting VMware Bug to Breach Corporate Networks

2020-12-0805:44:00
The Hacker News
thehackernews.com
101

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

The US National Security Agency (NSA) on Monday issued an advisory warning that Russian threat actors are leveraging recently disclosed VMware vulnerability to install malware on corporate systems and access protected data.

Specifics regarding the identities of the threat actor exploiting the VMware flaw or when these attacks started were not disclosed.

The development comes two weeks after the virtualization software company publicly disclosed the flaw—affecting VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products for Windows and Linux—without releasing a patch and three days after releasing a software update to fix it.

In late November, VMware pushed temporary workarounds to address the issue, stating permanent patches for the flaw were “forthcoming.” But it wasn’t until December 3rd the escalation-of-privileges bug was entirely resolved.

That same day, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a brief bulletin encouraging administrators to review and apply and patch as soon as possible.

Tracked as CVE-2020-4006, the command injection vulnerability was originally given a CVSS score of 9.1 out of a maximum of 10 but was revised last week to 7.2 to reflect the fact that a malicious actor must possess valid credentials for the configurator admin account in order to attempt exploitation.

“This account is internal to the impacted products and a password is set at the time of deployment,” VMware said in its advisory. “A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”

Although VMware didn’t explicitly mention the bug was under active exploitation in the wild, according to the NSA, adversaries are now leveraging the flaw to launch attacks to pilfer protected data and abuse shared authentication systems.

“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,” the agency said.

SAML or Security Assertion Markup Language is an open standard and an XML-based markup for exchanging authentication and authorization data between identity providers and service providers to facilitate single sign-on (SSO).

Besides urging organizations to update affected systems to the latest version, the agency also recommended securing the management interface with a strong, unique password.

Furthermore, the NSA advised enterprises to regularly monitor authentication logs for anomalous authentications as well as scan their server logs for the presence of “exit statements” that can suggest possible exploitation activity.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

Related for THN:2E67A9601D631B7905DA9FA7D2923108