Skip to main content

VMWare Workspace One has "critical" security vulnerability

(Image credit: Ferran Rodenas / Flickr)
Audio player loading…

VMWare (opens in new tab) has released a temporary fix for a critical zero-day vulnerability affecting several of its products, including VMWare Workspace One. The bug allows threat actors to take control of Linux and Windows operating systems by escalating their privileges remotely.

The command injection vulnerability, tracked as CVE-2020-4006, has been found in the administrative configuration of some versions of VMWare Workspace One, as well as in VMWare’s Access Connector, Identity Manager, and Identity Manager Connector. The vulnerability has been given a 9.1 CVSSv3 severity rating out of 10.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” the VMWare security advisory explains (opens in new tab).

 A short-term fix

Although VMWare is still working on a security update to patch the vulnerability, temporary workarounds have been made available that will remove the attack vector used to exploit CVE-2020-4006. The workarounds involve following a series of detailed steps (opens in new tab), but only work for some of the attack vectors – so some VMWare products will remain vulnerable. The workaround also causes some functionality limitations.

“Impacts are limited to functionality performed by this service,” the workaround reads. “Configurator-managed setting changes will not be possible while the workaround is in place. If changes are required please revert the workaround... make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed.”

Given the severity of the vulnerability and the limited impact of the workaround, it is advised that all users of affected VMWare products implement the workaround immediately. That will give VMWare more time to come up with a long-term solution.

Via Bleeping Computer (opens in new tab)

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.