VMware on Thursday released patches for a Workspace ONE Access security flaw that was identified and reported by the National Security Agency (NSA).
Formerly VMware Identity Manager, Workspace ONE Access delivers multi-factor authentication, single sign-on, and conditional access functionality for SaaS, mobile and web applications.
Tracked as CVE-2020-4006, the recently discovered vulnerability has been downgraded from critical to important severity (its CVSS score dropped from 9.1 to 7.2), because VMware discovered that an attacker looking to exploit the flaw needs valid credentials for the configurator admin account.
Initially, VMware did not provide information on who identified the security bug, but an update it made to its advisory this week, in conjunction with the release of patches, revealed that the NSA discovered it. VMware also published workaround instructions for the issue.
An adversary capable of exploiting the vulnerability could execute commands on a vulnerable system.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware explains in its advisory.
The company also underlines that the configurator admin account is internal to the affected products and that a password for it is set at deployment. The attacker needs that password for a successful attack.
The command injection flaw was found to affect Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, Cloud Foundation, and vRealize Suite Lifecycle Manager. Patches were released for impacted products on both Linux and Windows.
Related: VMware Working on Patches for Critical Workspace ONE Access Vulnerability
Related: Patch for Critical VMware ESXi Vulnerability Incomplete
Related: Google Researcher Finds Vulnerability in VMware Virtualization Products
Related: VMware Cloud Director Vulnerability Has Major Impact for Cloud Providers