VMware has introduced short-term workarounds to tackle a critical vulnerability in its goods that could be exploited by an attacker to get handle of an influenced method.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute instructions with unrestricted privileges on the underlying working program,” the virtualization software and providers business pointed out in its advisory.
Tracked as CVE-2020-4006, the command injection vulnerability has a CVSS rating of 9.1 out of 10 and impacts VMware Workspace A single Obtain, Accessibility Connector, Identity Supervisor, and Identity Supervisor Connector.
Though the company stated patches for the flaw are “forthcoming,” it failed to specify an actual day by when it truly is predicted to be launched. It can be unclear if the vulnerability is less than active attack.
The total checklist of products affected are as follows:
- VMware Workspace One particular Obtain (versions 20.01 and 20.10 for Linux and Windows)
- VMware Workspace Just one Accessibility Connector (versions 20.10, 20.01.., and 20.01..1 for Windows)
- VMware Id Supervisor (versions 3.3.1, 3.3.2, and 3.3.3 for Linux and Windows)
- VMware Id Manager Connector (versions 3.3.1, 3.3.2 for Linux and 3.3.1, 3.3.2, 3.3.3 for Windows)
- VMware Cloud Basis (variations 4.x for Linux and Windows)
- vRealize Suite Lifecycle Supervisor (versions 8.x for Linux and Windows)
VMware claimed the workaround applies only to the administrative configurator company hosted on port 8443.
“Configurator-managed setting modifications will not be achievable although the workaround is in location,” the firm explained. “If adjustments are necessary remember to revert the workaround following the recommendations underneath, make the needed alterations and disable all over again till patches are out there.”
The advisory arrives days immediately after VMware addressed a critical flaw in ESXi, Workstation, and Fusion hypervisors that could be exploited by a destructive actor with nearby administrative privileges on a virtual equipment to execute code and escalate their privileges on the afflicted system (CVE-2020-4004 and CVE-2020-4005).
The vulnerability was discovered by Qihoo 360 Vulcan Workforce at the 2020 Tianfu Cup Pwn Contest held previously this month in China.
Located this article interesting? Comply with THN on Facebook, Twitter and LinkedIn to examine much more unique information we article.
Some parts of this article are sourced from:
thehackernews.com