The National Security Agency (NSA) has issued an alert warning that Russian state hackers are exploiting a VMware vulnerability to access sensitive data and maintain persistence in targeted systems.
The NSA urged network administrators at the US National Security System (NSS), Department of Defense (DoD) and Defense Industrial Base (DIB) to patch the bug as a priority.
VMware fixed CVE-2020-4006 on December 3. It’s a Command Injection Vulnerability that exists in VMware Access and VMware Identity Manager products.
“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data,” the NSA explained in its advisory.
“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.”
The NSA recommended that any admins integrating authentication servers with ADFS follow Microsoft best practices such as MFA.
It said that password-based access to the web-based user interface of the device is required to exploit the bug, so using a strong and unique password would help to mitigate the risk, as would disconnecting the interface from the internet.
Daniel Trauner, director of security at Axonius, likened the vulnerability to one in a MobileIron MDM exploited recently as it enables compromise across a potentially large number of organizations.
“Bugs that affect central infrastructure like this, even slightly lower severity bugs that require prerequisites for authentication, are attractive and useful to adversaries because these systems are the central aggregation point for a significant portion of infrastructure. This makes pivoting easy,” he said.
“In addition to prioritizing patching and updating assets with known critical vulnerabilities, organizations need to make sure they are gathering detailed information about their assets —particularly those central to core infrastructure — and continually validate every asset’s adherence to their overall security policy.