NSA: VMware vulnerability is being exploited by Russian hackers

Special investigators from the National Security Agency (NSA) have issued a high priority alert arguing that Russian state-sponsored threat actors are exploiting a VMware vulnerability to steal sensitive data and get persistence in affected systems. The Agency urgently asks network admins at the US National Security System (NSS), Department of Defense (DoD) and Defense Industrial Base (DIB) to patch the bug as soon as possible.

The flaw (tracked as CVE-2020-4006) was fixed by VMware last Thursday. According to the report it is a command injection vulnerability that exists in VMware Access and VMware Identity Manager products: “Successful exploitation via command injection led to installation of a web shell and further malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services (ADFS), which in turn granted the actors access to protected data,”.

The experts consider the flaw becomes critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.

The Agency recommended that any admins integrating authentication servers with ADFS follow Microsoft best practices, such as multi factor authentication to prevent major risks.

The report mentions that threat actors require password-based access to the web-based user interface to exploit the flaw, so using a strong and unique password would help to mitigate the risk, as would disconnecting the interface from the internet.

On the other hand, Daniel Trauner from security firm Axonius likened the vulnerability to one in a MobileIron MDM exploited recently as it enables compromise across a potentially large number of organizations. More details are still unknown.