The United States National Security Agency (NSA) on Monday issued a advisory warning that Russian threat actors are leveraging a recently revealed VMware vulnerability to impersonate corporate systems and access protected data.
Details regarding the identity of the threat actor exploiting the VMware malfunction or when these attacks began are not revealed.
The development comes two weeks after the virtualization software company publicly disclosed the defect – affecting VMware Workpace One Access products, Access Connector, Identity Manager, and Identity Manager for Windows and Linux – without releasing a piece and three days on after releasing a software update to fix it.
At the end of November, VMware pushed temporary remits to address the issue, noting that permanent patches for the shortfall are “imminent.” But it wasn’t until December 3rd that the privilege escalation bug was completely resolved.
That same day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a short bulletin urging administrators to review and apply and patch as quickly as possible.
Traced as CVE-2020-4006The command injection vulnerability was originally given a CVSS score of 9.1 out of a maximum of 10 but was amended last week to 7.2 to reflect the fact that a malicious actor must have valid credentials for the configurable admin account in an attempt to exploit.
“This account is internal to the affected products and has a password set at the time of use,” VMware said in its advisor. “A malicious actor must have this password to attempt to exploit CVE-2020-4006.”
While VMware did not specifically mention the bug under active exploitation in the wild, according to the NSA, opponents are now leveraging the failure to launch attacks to pilot protected data and abuse shared authentication systems.
“The exploitation by command injection resulted in the installation of a web shell and subsequent malicious activity in which testimonials were generated in the form of SAML authentication allegations and sent to Microsoft Active Directory Federation Services, which in turn gave the actors access to protected data,” he said the agency.
SAML or Security Confirmation Markup Language is an open and XML-based markup for the exchange of authentication and authorization data between identity providers and service providers to facilitate single login (SSO).
Apart from encouraging organizations to update affected systems to the latest version, the agency also recommended securing the control interface with a strong, unique password.
Furthermore, the NSA advised enterprises to regularly monitor authentication logs for inconsistent authentications as well as scan their server logs for the presence of “exit statements” that may indicate potential exploitation activity.