Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

VMware Patches Workspace ONE Access Vulnerability Reported by NSA

VMware on Thursday released patches for a Workspace ONE Access security flaw that was identified and reported by the National Security Agency (NSA).

VMware on Thursday released patches for a Workspace ONE Access security flaw that was identified and reported by the National Security Agency (NSA).

Formerly VMware Identity Manager, Workspace ONE Access delivers multi-factor authentication, single sign-on, and conditional access functionality for SaaS, mobile and web applications.

Tracked as CVE-2020-4006, the recently discovered vulnerability has been downgraded from critical to important severity (its CVSS score dropped from 9.1 to 7.2), because VMware discovered that an attacker looking to exploit the flaw needs valid credentials for the configurator admin account.

Initially, VMware did not provide information on who identified the security bug, but an update it made to its advisory this week, in conjunction with the release of patches, revealed that the NSA discovered it. VMware also published workaround instructions for the issue.

An adversary capable of exploiting the vulnerability could execute commands on a vulnerable system.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware explains in its advisory.

The company also underlines that the configurator admin account is internal to the affected products and that a password for it is set at deployment. The attacker needs that password for a successful attack.

The command injection flaw was found to affect Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, Cloud Foundation, and vRealize Suite Lifecycle Manager. Patches were released for impacted products on both Linux and Windows.

Advertisement. Scroll to continue reading.

Related: VMware Working on Patches for Critical Workspace ONE Access Vulnerability

Related: Patch for Critical VMware ESXi Vulnerability Incomplete

Related: Google Researcher Finds Vulnerability in VMware Virtualization Products

Related: VMware Cloud Director Vulnerability Has Major Impact for Cloud Providers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.