Attacker Value
High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
2

CVE-2020-4006

Disclosure Date: November 23, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.

Following speculation that CVE-2020-4006 might be related to the SolarWinds supply chain hack that led to the compromise of U.S. government agencies and global organizations, VMware said on December 22, 2020 that they have no indication they have any involvement on the nation-state attack on SolarWinds.

Add Assessment

6
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

I’ve seen some news headlines with very scary-sounding words (“ransacking networks!”) on this, which is dismaying. It’s completely understandable that folks would be alarmed by a zero-day (now patched), but when we get into the details of this one a bit, I would tend to doubt that it’s going to be a good candidate for mass exploitation (note that I’m not telling anyone not to patch, just that headlines aren’t always reality!).

Even before getting into the weeds a little more, we can see from the CVSSv3 metrics that this requires high-privileged access and carries a 7.2 severity rating. I’ve watched researchers prove severity ratings wrong in the past, to be sure, but looking at the advisory, we can see that any attempt at exploitation would require an attacker to have access to the admin configurator on port 8443, plus admin credentials for the configurator account. If you have that level of access as an attacker, you can do all sorts of nefarious things with it, but those requirements don’t lend themselves to easy exploitation. It’s a good one to patch, but it also sounds like this is another case where strong password policies (especially for admin accounts!) would go a long way toward mitigating the risk of vulns both known and unknown. Ensuring that management interfaces are not exposed to the internet is another good move!

The NSA reported this vulnerability to VMware directly as a zero-day, which likely means they were seeing a specific threat actor deploy it in targeted intelligence operations. We haven’t seen any other reports of exploitation yet. From reading the docs, it looks like admins are required to change the password upon configuration, so the tried and true combo of admin:admin shouldn’t be possible.

CVSS V3 Severity and Metrics
Base Score:
9.1 Critical
Impact Score:
6
Exploitability Score:
2.3
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Products

  • VMware Workspace One Access (Access), VMware Workspace One Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation, vRealize Suite Lifecycle Manager

Exploited in the Wild

Reported by:
Reported: December 07, 2020 11:03pm UTC (4 months ago)

Additional Info

Technical Analysis