Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

VMware Patches Workspace ONE Access Vulnerability Reported by NSA

VMware on Thursday released patches for a Workspace ONE Access security flaw that was identified and reported by the National Security Agency (NSA).

VMware on Thursday released patches for a Workspace ONE Access security flaw that was identified and reported by the National Security Agency (NSA).

Formerly VMware Identity Manager, Workspace ONE Access delivers multi-factor authentication, single sign-on, and conditional access functionality for SaaS, mobile and web applications.

Tracked as CVE-2020-4006, the recently discovered vulnerability has been downgraded from critical to important severity (its CVSS score dropped from 9.1 to 7.2), because VMware discovered that an attacker looking to exploit the flaw needs valid credentials for the configurator admin account.

Initially, VMware did not provide information on who identified the security bug, but an update it made to its advisory this week, in conjunction with the release of patches, revealed that the NSA discovered it. VMware also published workaround instructions for the issue.

An adversary capable of exploiting the vulnerability could execute commands on a vulnerable system.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware explains in its advisory.

Advertisement. Scroll to continue reading.

The company also underlines that the configurator admin account is internal to the affected products and that a password for it is set at deployment. The attacker needs that password for a successful attack.

The command injection flaw was found to affect Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, Cloud Foundation, and vRealize Suite Lifecycle Manager. Patches were released for impacted products on both Linux and Windows.

Related: VMware Working on Patches for Critical Workspace ONE Access Vulnerability

Related: Patch for Critical VMware ESXi Vulnerability Incomplete

Related: Google Researcher Finds Vulnerability in VMware Virtualization Products

Related: VMware Cloud Director Vulnerability Has Major Impact for Cloud Providers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.