The U.S. Cybersecurity and Infrastructure Security Agency is warning of a zero-day bug affecting six VMware products including its Workspace One, Identity Manager and vRealize Suite Lifecycle Manager.
The critical unpatched bug is a command injection vulnerability.
In a separate VMware advisory, the company did not indicate whether the vulnerability was under active attack. Tracked as CVE-2020-4006, the bug has a CVSS severity rating of 9.1 out of 10. The company said patches are βforthcomingβ and that workarounds βfor a temporary solution to prevent exploitation of CVE-2020-4006β are available.
βA malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,β VMware wrote.
The products impacted by the vulnerability are:
A total of 12 product versions are impacted.
Workarounds outlined by VMware are βmeant to be a temporary solution only, and customers are advised to follow VMSA-2020-0027 to be alerted when patches are available,β wrote the company.
Versions impacted include:
The workaround tradeoff, once implemented, is that in each of the VMware services, configurator-managed setting changes will not be possible while the workaround is in place.
βIf changes are required please revert the workaround following the instructions β¦ make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed,β VMware explained.
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4006
kb.vmware.com/s/article/81731
threatpost.com/newsletter-sign/
us-cert.cisa.gov/ncas/current-activity/2020/11/23/vmware-releases-workarounds-cve-2020-4006
www.vmware.com/security/advisories/VMSA-2020-0027.html
www.vmware.com/security/advisories/VMSA-2020-0027.html