High
CVE-2020-4006
Add Reference
Description
URL
Type
CVE-2020-4006
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.
Following speculation that CVE-2020-4006 might be related to the SolarWinds supply chain hack that led to the compromise of U.S. government agencies and global organizations, VMware said on December 22, 2020 that they have no indication they have any involvement on the nation-state attack on SolarWinds.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityLow
Technical Analysis
I’ve seen some news headlines with very scary-sounding words (“ransacking networks!”) on this, which is dismaying. It’s completely understandable that folks would be alarmed by a zero-day (now patched), but when we get into the details of this one a bit, I would tend to doubt that it’s going to be a good candidate for mass exploitation (note that I’m not telling anyone not to patch, just that headlines aren’t always reality!).
Even before getting into the weeds a little more, we can see from the CVSSv3 metrics that this requires high-privileged access and carries a 7.2 severity rating. I’ve watched researchers prove severity ratings wrong in the past, to be sure, but looking at the advisory, we can see that any attempt at exploitation would require an attacker to have access to the admin configurator on port 8443, plus admin credentials for the configurator account. If you have that level of access as an attacker, you can do all sorts of nefarious things with it, but those requirements don’t lend themselves to easy exploitation. It’s a good one to patch, but it also sounds like this is another case where strong password policies (especially for admin accounts!) would go a long way toward mitigating the risk of vulns both known and unknown. Ensuring that management interfaces are not exposed to the internet is another good move!
The NSA reported this vulnerability to VMware directly as a zero-day, which likely means they were seeing a specific threat actor deploy it in targeted intelligence operations. We haven’t seen any other reports of exploitation yet. From reading the docs, it looks like admins are required to change the password upon configuration, so the tried and true combo of admin:admin shouldn’t be possible.
CVSS V3 Severity and Metrics
General Information
Products
- VMware Workspace One Access (Access), VMware Workspace One Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation, vRealize Suite Lifecycle Manager
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).
