This article is more than 1 year old
Kremlin hackers are right now exploiting security hole in VMware software to hijack systems, NSA warns
So, you know, patch it
The NSA reckons Russian government hackers are actively abusing a critical security hole in VMWare's software to infiltrate victims' networks. Sysadmins are urged to deploy the necessary patch as soon as possible.
“Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication,” a cybersecurity notice [PDF] published on Monday warns.
Top tip, everyone: Chinese hackers are hitting these 25 vulns, so make sure you patch them ASAP, says NSAREAD MORE
The American spy agency's notice then urges “network administrators to prioritize mitigation of the vulnerability on affected servers,” noting that the best solution in this case will be to use a new strong and unique password to access to the web-based management interface as “password-based access... is required to exploit the vulnerability.” It also recommends, where possible, not connecting the interface to the internet.
Specifically, the Kremlin's crews are apparently targeting CVE-2020-4006, aka VMSA-2020-0027, which VMWare described as a "Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address command injection vulnerability."
Essentially, if a miscreant knows a certain admin account password – such as by spear-phishing an IT staffer to get it – or guesses it through brute-force, and they can reach a vulnerable deployment over internet or network, they can run commands on the host system, hijack it, lift data from it, use it to access other computers, and so on.
Here's VMware's description of the hole:
A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system. This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006.
The NSA warns that sysadmins may not be able to detect exploitation of the flaw by watching network traffic because “the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel associated with the web interface.” Server logs will likely pick something up, however.
“The presence of an ‘exit’ statement followed by any 3-digit number, such as “exit 123”, within the configurator.log would suggest that exploitation activity may have occurred on the system,” the advisory notes.
The fix is out there
Word of the hole emerged at the end of November when VMware issued a workaround ahead of releasing a patch last week. It was "privately reported" to Virtzilla, and is rated "important" in terms of severity after previously being labeled critical. Time to get fixing by updating your installations. ®