New Vmware Vulnerability exploit to steal data

Recently, there is a new vulnerability related to VmWare which it will use to exploit using web shells on the vulnerable servers in order to steal sensitive data. The vulnerability made worse when it take advantages of latest patches for the Vmware product.

On the website here, the US Defense Department’s intelligence agency did mention as follows:

“NSA encourages National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to prioritize mitigation of the vulnerability on affected servers,”

Exploitation on the Vmware Vulnerability

This vulnerability have been labelled as CVE-2020-4006 which the NSA have taken note and observed the threat actors will be exposing the web-based management interface of devices by connecting to the devices that been running on Vmware products that vulnerable.

The attacker will try to steal any sensitive data through out SAML credentials in order to gains the privileged access to servers such as Microsoft Active Directory Federation Service or also known as ADFS server.

When the exploitation of the vulnerability that being successful will allow the attackers to run malicious Linux Command within the exploited devices that will be a benefit to them.

A way of detecting the attacks on here would be ‘exit’ statements such as exit 123 which can be found within in the /opt/vmware/horizon/workspace/logs/configuarator.log can be considered as security alert leading to exploitation activity that occurs on the device.

For this vulnerability, the affected of devices can be seen as follows:

  • VMware Workspace One Access 20.01, 20.10 (Linux)
  • VMware Identity Manager (vIDM) 3.3.1 up to 3.3.3 (Linux)
  • VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2 (Linux)
  • VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3 / 19.03.0.0, 19.03.0.1 (Windows)
  • VMware Cloud Foundation 6 4.x
  • VMware vRealize Suite Lifecycle Manager 7 8.x

Workaround on the vulnerabilities

For Linux-Based Servers workaround can be follow as mentioned:

  1. Firstly, the system administrator can connect to the server via SSH command-line and log in using sshuser credentials
  2. Once login into the server, the system administrator need to switch the user to root by using the command “su root”
  3. When the root user have been completed, the system administrator will have to run the following commands:
  • cd /opt/vmware/horizon/workspace
  • mkdir webapps.tmp
  • mv webapps/cfg webapps.tmp
  • mv conf/Catalina/localhost/cfg.xml webapps.tmp
  • service horizon-workspace restart 

*Note: All linux that been affected via CVE-2020-4006 will have to follow the same step.

For Windows-Based Servers workaround can be follow as mentioned:

  1. Firstly, the system administrator will need to Log in as Administrator.
  2. the system administrator will have to run the following commands:
  • net stop “VMwareIDMConnector”
  • cd \VMware\VMwareIdentityManager\Connector\opt\vmware\horizon\workspace
  • mkdir webappstmp
  • move webapps\cfg webappstmp

*Note: All Windows that been affected via CVE-2020-4006 will have to follow the same step.

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *