Background
In November, VMware disclosed a flaw in VMWare WorkSpace ONE Access (formerly known as VMware Identity Manger). The vulnerability is tracked as CVE-2020-4006. The NSA has warned that Russian state-sponsored hackers have been actively exploiting this vulnerability and has provided this advisory. The vulnerability can be used to nefariously access the system’s web-based management interface and execute arbitrary commands with elevated privileges at the operating system level. Ultimately, the exploit permits the attacker to exploit federated authentication mechanisms, permitting them to forge credentials to access protected data.
How to detect?
Based on the information provided by VMware in their advisory, OPSWAT has added the ability to detect the CVE on a device and report it in MetaDefender Access. When detected, it is reported both in the MetaDefender Access management portal and to a user of the infected computer the MetaDefender Endpoint running that device.
An example of the CVE being reported to a user of the device:
How to remediate and prevent?
After using MetaDefender Access to find vulnerable machines, the patch can be applied, and then devices re-scanned. In addition, automated / on-going scanning for this vulnerability will alert you if a machine is brought online with an older configuration containing the exploit.
How to prevent similar attacks?
As attacks on widely used identity providers such as this are serous and impactful, the NSA has issued an advisory on how to detect, mitigate and harden systems to avoid exploits due to this specific vulnerability and other similar exploits that are likely lurking undetected.
As is well understood, and the NSA document underscores, this and many other attacks start by exploiting unpatched endpoints running out of date software. MetaDefender Access can go way beyond just keeping endpoints patched and up to date with its Advanced Endpoint Protection capabilities. It can prevent them from connecting if they are not compliant with a long list of health and security checks.
In terms of preventing attacks on the management interface of a security infrastructure, it has long been a practice to segment those interfaces - and with capabilities like a Software Defined Perimeter (SDP), that segmentation can be much more secure and easy to manage. MetaDefender Access combines the network level segmentation protection of SDP with its Advanced Endpoint Protection, thereby ensuring the management interface network endpoint is unreachable until and unless the device attempting to connect is proven trustworthy.
MetaDefender Access makes it easy to protect such management interfaces. After the Gateway is in place, it is a simple matter of defining the application to be protected - in this case, the WorkSpace ONE Access management console:
How to get more information.
For more information on how OPSWAT MetaDefender Access can help protect your critical infrastructure, contact us today.
References
CVE-2020-4006 VMware Advisory VMSA-2020-0027.2 (vmware.com)
Russian Hackers Exploiting Recently Patched VMware Flaw, NSA Warns | SecurityWeek.Com
NSA Cybersecurity Advisory: Malicious Actors Abuse Authentication Mechanisms to Access Cloud Resources > Sixteenth Air Force (Air Forces Cyber) > News (af.mil)
