VMWare has released a temporary fix for a critical zero-day vulnerability affecting several of its products, including VMWare Workspace One. The bug allows threat actors to take control of Linux and Windows operating systems by escalating their privileges remotely.
The command injection vulnerability, tracked as CVE-2020-4006, has been found in the administrative configuration of some versions of VMWare Workspace One, as well as in VMWare’s Access Connector, Identity Manager, and Identity Manager Connector. The vulnerability has been given a 9.1 CVSSv3 severity rating out of 10.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” the VMWare security advisory explains.
A short-term fix
Although VMWare is still working on a security update to patch the vulnerability, temporary workarounds have been made available that will remove the attack vector used to exploit CVE-2020-4006. The workarounds involve following a series of detailed steps, but only work for some of the attack vectors – so some VMWare products will remain vulnerable. The workaround also causes some functionality limitations.
“Impacts are limited to functionality performed by this service,” the workaround reads. “Configurator-managed setting changes will not be possible while the workaround is in place. If changes are required please revert the workaround… make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed.”
Given the severity of the vulnerability and the limited impact of the workaround, it is advised that all users of affected VMWare products implement the workaround immediately. That will give VMWare more time to come up with a long-term solution.