How OPSWAT Can Help Detect and Prevent the VMware WorkSpace ONE Access exploit (CVE-2020-4006)

Background

In November, VMware disclosed a flaw in VMWare WorkSpace ONE Access (formerly known as VMware Identity Manger). The vulnerability is tracked as CVE-2020-4006. The NSA has warned that Russian state-sponsored hackers have been actively exploiting this vulnerability and has provided this advisory. The vulnerability can be used to nefariously access the system’s web-based management interface and execute arbitrary commands with elevated privileges at the operating system level. Ultimately, the exploit permits the attacker to exploit federated authentication mechanisms, permitting them to forge credentials to access protected data.

How to detect?

Based on the information provided by VMware in their advisory, OPSWAT has added the ability to detect the CVE on a device and report it in MetaAccess. When detected, it is reported both in the MetaAccess management portal and to a user of the infected computer the OPSWAT Client running that device.

An example of the CVE being reported to a user of the device:

How to remediate and prevent?

After using MetaAccess to find vulnerable machines, the patch can be applied, and then devices re-scanned. In addition, automated / on-going scanning for this vulnerability will alert you if a machine is brought online with an older configuration containing the exploit.

How to prevent similar attacks?

As attacks on widely used identity providers such as this are serous and impactful, the NSA has issued an advisory on how to detect, mitigate and harden systems to avoid exploits due to this specific vulnerability and other similar exploits that are likely lurking undetected.

As is well understood, and the NSA document underscores, this and many other attacks start by exploiting unpatched endpoints running out of date software. MetaAccess can go way beyond just keeping endpoints patched and up to date with its Advanced Endpoint Protection capabilities. It can prevent them from connecting if they are not compliant with a long list of health and security checks.

In terms of preventing attacks on the management interface of a security infrastructure, it has long been a practice to segment those interfaces - and with capabilities like a Software Defined Perimeter (SDP), that segmentation can be much more secure and easy to manage. MetaAccess combines the network level segmentation protection of SDP with its Advanced Endpoint Protection, thereby ensuring the management interface network endpoint is unreachable until and unless the device attempting to connect is proven trustworthy.

MetaAccess makes it easy to protect such management interfaces. After the Gateway is in place, it is a simple matter of defining the application to be protected - in this case, the WorkSpace ONE Access management console:

How to get more information.

For more information on how OPSWAT MetaAccess can help protect your critical infrastructure, contact us today.

References

CVE-2020-4006 VMware Advisory VMSA-2020-0027.2 (vmware.com)

Russian Hackers Exploiting Recently Patched VMware Flaw, NSA Warns | SecurityWeek.Com

Russian State-Sponsored Actors Exploiting Vulnerability in VMware® Workspace ONE Access Using Compromised Credentials

NSA Cybersecurity Advisory: Malicious Actors Abuse Authentication Mechanisms to Access Cloud Resources > Sixteenth Air Force (Air Forces Cyber) > News (af.mil)

System and Network Configuration Requirements (vmware.com)

For more information, please contact one of our critical infrastructure cybersecurity experts.

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.