VMware explained it has no patch for a critical escalation-of-privileges bug that impacts both Windows and Linux running techniques and its Workspace One particular.
The U.S. Cybersecurity and Infrastructure Security Agency is warning of a zero-day bug impacting 6 VMware merchandise such as its Workspace One particular, Identification Supervisor and vRealize Suite Lifecycle Manager.
The critical unpatched bug is a command injection vulnerability.
In a separate VMware advisory, the company did not point out irrespective of whether the vulnerability was below energetic attack. Tracked as CVE-2020-4006, the bug has a CVSS severity score of 9.1 out of 10. The firm stated patches are “forthcoming” and that workarounds “for a short-term resolution to reduce exploitation of CVE-2020-4006” are available.
“A malicious actor with network obtain to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute instructions with unrestricted privileges on the fundamental working technique,” VMware wrote.
The products impacted by the vulnerability are:
- VMware Workspace One particular Obtain (Access)
- VMware Workspace One Access Connector (Entry Connector)
- VMware Identity Supervisor (vIDM)
- VMware Identity Supervisor Connector (vIDM Connector)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
A complete of 12 product variations are impacted.
Workarounds outlined by VMware are “meant to be a non permanent alternative only, and customers are encouraged to stick to VMSA-2020-0027 to be alerted when patches are readily available,” wrote the company.
Versions impacted consist of:
- VMware Workspace One Access 20.10 (Linux)
- VMware Workspace Just one Access 20.01 (Linux)
- VMware Identification Manager 3.3.3 (Linux)
- VMware Id Manager 3.3.2 (Linux)
- VMware Id Manager 3.3.1 (Linux)
- VMware Id Manager Connector 3.3.2, 3.3.1 (Linux)
- VMware Identification Supervisor Connector 3.3.3, 3.3.2, 3.3.1 (Windows)
The workaround tradeoff, once executed, is that in each and every of the VMware companies, configurator-managed location improvements will not be feasible even though the workaround is in area.
“If alterations are essential be sure to revert the workaround pursuing the directions … make the expected improvements and disable once more till patches are accessible. In addition, most of the technique diagnostics dashboard will not be displayed,” VMware spelled out.
Some parts of this article are sourced from:
threatpost.com