High
CVE-2020-4006
CVE-2020-4006
Description
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.
Following speculation that CVE-2020-4006 might be related to the SolarWinds supply chain hack that led to the compromise of U.S. government agencies and global organizations, VMware said on December 22, 2020 that they have no indication they have any involvement on the nation-state attack on SolarWinds.
Add Assessment
Technical Analysis
I’ve seen some news headlines with very scary-sounding words (“ransacking networks!”) on this, which is dismaying. It’s completely understandable that folks would be alarmed by a zero-day (now patched), but when we get into the details of this one a bit, I would tend to doubt that it’s going to be a good candidate for mass exploitation (note that I’m not telling anyone not to patch, just that headlines aren’t always reality!).
Even before getting into the weeds a little more, we can see from the CVSSv3 metrics that this requires high-privileged access and carries a 7.2 severity rating. I’ve watched researchers prove severity ratings wrong in the past, to be sure, but looking at the advisory, we can see that any attempt at exploitation would require an attacker to have access to the admin configurator on port 8443, plus admin credentials for the configurator account. If you have that level of access as an attacker, you can do all sorts of nefarious things with it, but those requirements don’t lend themselves to easy exploitation. It’s a good one to patch, but it also sounds like this is another case where strong password policies (especially for admin accounts!) would go a long way toward mitigating the risk of vulns both known and unknown. Ensuring that management interfaces are not exposed to the internet is another good move!
The NSA reported this vulnerability to VMware directly as a zero-day, which likely means they were seeing a specific threat actor deploy it in targeted intelligence operations. We haven’t seen any other reports of exploitation yet. From reading the docs, it looks like admins are required to change the password upon configuration, so the tried and true combo of admin:admin shouldn’t be possible.
Technical Analysis
Please read @ccondon-r7’s excellent assessment of CVE-2020-4006. The following is a technical analysis of the vulnerability.
I decided to revisit CVE-2020-4006 after it (and other vulnerabilities) received renewed attention for use in a nation state actor’s TTPs. I also managed to obtain the software this time. I did not manage to obtain the patch, so the following analysis is a “best effort” attempt to deduce the vulnerability.
CVE-2020-4006 is a post-auth command injection in VMware Workspace ONE Access and multiple related products. The vulnerability lies in the /cfg/ssl/installSelfSignedCertificate endpoint within the “Appliance Configurator” service on TLS port 8443. By specifying a malicious san parameter in a POST request to the endpoint, arbitrary shell commands may be executed.
@RequestMapping(method = {RequestMethod.POST}, value = {"/installSelfSignedCertificate"}) @ResponseBody public AjaxResponse installSelfSignedCertificate(MultipartHttpServletRequest request) { try { log.debug("Generating and installing self-signed sslCertificate"); this.workspacePreAuthFilter.storePasswordInSession((HttpServletRequest)request); this.applianceSslCertificateService.generateAndInstallSelfSignedCertificate(request); } catch (AdminPortalException e) { return new AjaxResponse(Messages.getMessage(e.getErrorId(), e.getArgs()), Integer.valueOf(2), false); } return new AjaxResponse(Messages.getMessage("configurator.configure.ssl.installingCertificate"), Integer.valueOf(0), true); }
public void generateAndInstallSelfSignedCertificate(MultipartHttpServletRequest request) throws AdminPortalException { String generateSelfSignedCertCmd[], installSelfSignedCertificateCmd[], sanValue = request.getParameter("san"); String vmName = this.configHelper.getApplianceFqdn(); if (StringUtils.isAllEmpty(new CharSequence[] { sanValue })) { sanValue = vmName; } else if (!sanValue.contains(vmName)) { sanValue = sanValue + "," + vmName; } if (Const.isWindowsDeployment) { generateSelfSignedCertCmd = new String[] { "cmd", "/c", "\"\"" + SELF_SIGNED_CERTIFICATE_CMD + "\"" + " -host " + vmName + " -san " + "\"" + sanValue + "\"" + " -force" + "\"" }; } else { generateSelfSignedCertCmd = new String[] { "/bin/sh", "-c", SELF_SIGNED_CERTIFICATE_CMD + " --makesslcert " + vmName + " " + vmName + " " + sanValue }; } log.info("Executing command {}", Arrays.toString((Object[])generateSelfSignedCertCmd)); try { CommandUtils.executeCommand(generateSelfSignedCertCmd); log.info("Command {} succeeded", Arrays.toString((Object[])generateSelfSignedCertCmd)); } catch (IOException e) { log.error("Command {} failed: {}", Arrays.toString((Object[])generateSelfSignedCertCmd), e.getMessage()); throw new AdminPortalException(null, "configurator.configure.ssl.errorGeneratingSelfSignedCertificate", null); } if (Const.isWindowsDeployment) { installSelfSignedCertificateCmd = new String[] { "cmd", "/c", "\"\"" + SELF_SIGNED_CERTIFICATE_CMD + "\"" + " -host " + vmName + " -install" + "\"" }; } else { installSelfSignedCertificateCmd = new String[] { "/bin/sh", "-c", String.format("nohup %s > /usr/local/horizon/log/installSelfSignedCert.log &", new Object[] { SELF_SIGNED_CERTIFICATE_CMD }) }; } log.info("Executing command {}", Arrays.toString((Object[])installSelfSignedCertificateCmd)); try { CommandUtils.executeCommand(installSelfSignedCertificateCmd); log.info("Command {} succeeded", Arrays.toString((Object[])installSelfSignedCertificateCmd)); } catch (IOException e) { log.error("Command {} failed: {}", Arrays.toString((Object[])installSelfSignedCertificateCmd), e.getMessage()); throw new AdminPortalException(null, "configurator.configure.ssl.errorInstallingCertificate", null); } if (Const.isWindowsDeployment && !this.tomcatUtils.restartApplianceService((HttpServletRequest)request)) { throw new AdminPortalException("configurator.configure.workspaceUrl.errorRestartingService", null); } }
Note that exploitation may restart the service. Activity is logged in the /opt/vmware/horizon/workspace/logs/configurator.log file.
CVSS V3 Severity and Metrics
General Information
Products
- VMware Workspace One Access (Access), VMware Workspace One Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation, vRealize Suite Lifecycle Manager
Exploited in the Wild
References
