NSA: Russian Hackers Exploiting VMware VulnerabilityWarning Urges Federal Agencies to Patch Vulnerable Systems Immediately
The U.S. National Security Agency on Monday issued a warning that Russian state-sponsored threat actors are attempting to exploit a known vulnerability in several VMware products, and federal agencies should apply fixes as soon as possible.
Several VMware Access and VMware Identity Manager products are covered by the alert, and the NSA is warning that a successful attacker can execute commands with unrestricted privileges on the underlying operating system. The NSA is encouraging the National Security System, the U.S. Department of Defense and Defense Industrial Base network administrators to prioritize mitigation of the vulnerability on affected servers.
"Russian state-sponsored malicious cyber actors are exploiting a vulnerability in VMware Access and VMware Identity Manager products, allowing the actors access to protected data and abusing federated authentication," the NSA says.
The NSA did not explain how it attributed this activity to Russian state-sponsored actors, nor which federal agencies may have been targeted so far.
The issue centers on a command injection vulnerability, tracked as CVE-2020-4006, for which VMware issued a patch on Thursday. The affected company products include:
- VMware Access 3 20.01 and 20.10 on Linux4
- VMware vIDM 5 3.3.1, 3.3.2, and 3.3.3 on Linux
- VMware vIDM Connector 3.3.1, 3.3.2, 3.3.3, 19.03
- VMware Cloud Foundation 6 4.x
- VMware vRealize Suite Lifecycle Manager 7 8.x
VMware strongly encourages all customers to please visit VMSA-2020-0027 as the centralized source of information for this issue, the company tells Information Security Media Group.
Exploiting this vulnerability is not simple, the NSA notes, as it requires authenticated password-based access to the management interface of the device, which is encrypted with TLS. Also adding to the difficulty level for any hacker is the requirement to set the password at the time the software is deployed, eliminating the need for a default password that could be found and exploited by an attacker.
That software's interface typically runs over port 8443, but it could run over any user-defined port, the alert says.
The vulnerability is exploited via a command injection that leads to the installation of a web shell and follows in malicious activity taking place, in which credentials in the form of Security Assertion Markup Language authentication assertions are generated and sent to Microsoft's Active Directory Federation Services, which in turn grants the actors access to protected data, the alert says.
"It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources," the alert says.
Mike Hamilton, former vice chairman of the DHS State, Local, Tribal, and Territorial Government Coordinating Council and current CISO at CI Security, says that, with a patch deployed, it's now a competition between systems being updated and threat actors attempting to steal credentials.
"Federal IT personnel are certainly on top of the patching, as these advisories are routed directly to them and it’s made clear that they are a significant intended audience. If multifactor authentication is not being used - and there seems to be some variability there - this is an urgent race as we can reliably assume users are going to continue to be fooled," he tells Information Security Media Group.
Detecting an Intrusion
If an attacker can meet the above criteria and gain access, the NSA alert notes that it's difficult to detect the intrusion.
"Network-based indicators are unlikely to be effective at detecting exploitation since the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel associated with the web interface," the alert says.
Where an intrusion can be spotted is in the server logs. The NSA says the presence of an "exit" statement followed by any three-digit number within the configurator.log would suggest that exploitation activity may have occurred on the system. This log can be found at /opt/vmware/horizon/workspace/logs/configurator.log on the server.