Critical Unpatched VMware Flaw

An attacker could take control of a VMware system by exploiting its new vulnerability.

The virtualization software and services firm noted that "a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system".

A CVSS score of 9.1 out of 10 tracked as CBE-2020-4006 command vulnerability affects Access Connector, VMware Workspace One Access, Identity Manager, and Identity Manager Connector.

The company hasn't declared the exact release date of the patches and is uncertain whether a vulnerability is intact.

The  list of products affected are as follows:

  1. VMware Workspace One Access (versions 20.01 and 20.10 for Linux and Windows)

2. VMware Workspace One Access Connector (versions 20.10, 20.01.0.0, and 20.01.0.1 for Windows)

3. VMware Identity Manager (versions 3.3.1, 3.3.2, and 3.3.3 for Linux and Windows)

4. VMware Identity Manager Connector (versions 3.3.1, 3.3.2 for Linux and 3.3.1, 3.3.2, 3.3.3 for Windows)

5. VMware Cloud Foundation (versions 4.x for Linux and Windows)

6. vRealize Suite Lifecycle Manager (versions 8.x for Linux and Windows)

The temporary workaround by VMware is applicable to the administrative configurator service hosted on port 8443.

"The configurator-managed setting changes will not be applicable while the workaround is in place. In order to make changes, revert the workaround following the instructions below and disable it again until patches are available," the company added.

When VMware noted the major vulnerability in ESXi, Workstation, and Fusion hypervisors, which could be exploited by a malicious actor, the advisory took effect immediately. The attacker, with the local administrative privileges on a virtual machine, could execute code and escalate their privileges on the affected system (CVE-2020-4005 and CVE-2020-4004).

It's in the first weeks of this month  Qihoo 360 Vulcan Team at the 2020 Tianfu Cup Pwn Contest discovered this flaw.