VMware Security Announcement VMSA-2020-0027.

Today a new VMware security announcement was released, VMSA-2020-0027. This announcement affects VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. this addresses a command injection vulnerability. (CVE-2020-4006). No patch has been released as of yet but there is a workaround to fix the issue. Details on the workaround are listed below.

Impacted Products
  • VMware Workspace One Access (Access)
  • VMware Workspace One Access Connector (Access Connector)
  • VMware Identity Manager (vIDM)
  • VMware Identity Manager Connector (vIDM Connector)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager
Introduction

A command injection vulnerability was privately reported to VMware. Workarounds are available to address this vulnerability in affected VMware products.

Command Injection Vulnerability in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector administrative configurator (CVE-2020-4006)

Description

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector contain a Command Injection Vulnerability in the administrative configurator. VMware has evaluated the this issue to be of Critical severity with a maximum CVSSv3 base score of 7.2.

Known Attack Vectors

A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system.

Resolution

For Access 20.10 for Linux. HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754) (vmware.com)

For Access 20.01 for Linux.HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754) (vmware.com)

Access Connector 20.10, 20.01.0.0 and 20.01.0.1 for Windows are not affected.

Patch pending for vIDM 3.3.3 for Linux. HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754) (vmware.com)

Patch pending for vIDM 3.3.2 for Linux. HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754) (vmware.com)

Patch pending for vIDM 3.3.1 for Linux. HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754) (vmware.com)

vIDM Connector 19.02.0.0, 19.03.0.1 for Windows apply HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754) (vmware.com)

For vIDM Connector 3.3.3 for Windows. HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754) (vmware.com)

For vIDM Connector 3.3.2 for both Windows and Linux HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754) (vmware.com)

For vIDM Connector 3.3.1 for both Windows and Linux HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754) (vmware.com)

For VMware Cloud Foundation (vIDM) 4.x HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754) (vmware.com)

For vRealize Suite Lifecycle Manager (vIDM) 8.x. HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754) (vmware.com)

Be sure to check back, I will update all the patch information as it is released.

Workaround

A workaround is available for this vulnerability, here is the KB VMware Workspace One Access, VMware Identity Manager, VMware Identity Manager Connector Workaround Instructions for CVE-2020-4006 (81731)

To implement the workaround for CVE-2020-4006 perform the following steps below. Please note the product operating system.

1. Implement workaround for Linux based appliances

  1. Use SSH to connect to appliance using “sshuser” credentials configured during installation or updated later.
  2. Switch to root by typing su and provide “root” credentials configured during installation or updated later.
  3. Run the following commands:

    cd /opt/vmware/horizon/workspace
    mkdir webapps.tmp
    mv webapps/cfg webapps.tmp
    mv conf/Catalina/localhost/cfg.xml webapps.tmp
    service horizon-workspace restart


    Repeat steps for all Linux based appliances affected by CVE-2020-4006.

2. Implement workaround for Windows based servers

  1. Log in as Administrator.
  2. Open a Command Prompt window and run the following commands:

    net stop "VMwareIDMConnector"
    cd \VMware\VMwareIdentityManager\Connector\opt\vmware\horizon\workspace
    mkdir webappstmp
    move webapps\cfg webappstmp
    move conf\Catalina\localhost\cfg.xml webappstmp
    net start "VMwareIDMConnector"


    Repeat steps for all Windows based servers affected by CVE-2020-4006.

To remove the workaround for CVE-2020-4006 perform the following steps:

1. Revert workaround for Linux based appliances

  1. Use SSH to connect to appliance using “sshuser” credentials configured during installation or updated later.
  2. Switch to root by typing su and provide “root” credentials configured during installation or updated later.
  3. Run the following commands:

    cd /opt/vmware/horizon/workspace
    mv webapps.tmp/cfg webapps
    mv webapps.tmp/cfg.xml conf/Catalina/localhost
    rmdir webapps.tmp
    service horizon-workspace restart


    Repeat steps for all Linux based appliances affected by CVE-2020-4006.

2. Revert workaround for Windows based servers

  1. Log in as Administrator.
  2. Open a Command Prompt window and run the following commands:

    net stop "VMwareIDMConnector"
    cd \VMware\VMwareIdentityManager\Connector\opt\vmware\horizon\workspace
    move webappstmp\cfg webapps
    move webappstmp\cfg.xml conf\Catalina\localhost
    rmdir webappstmp
    net start "VMwareIDMConnector"


    Repeat steps for all Windows based servers affected by CVE-2020-4006

References

Resolution:
https://kb.vmware.com/s/article/81754

Workarounds:
https://kb.vmware.com/s/article/81731

Here is the link to the official VMware Advisory

VMSA-2020-0027 (vmware.com)

Thanks for reading!