The US National Security Agency (NSA) and the UK’s NCSC have urged organisations to immediately plug a vulnerability affecting a number of VMware identity management products that is being exploited by Russian state-sponsored actors to gain access to sensitive data.
According to NSA, the vulnerability affects a number of VMware identity management products such as the VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. VMware has already released security patches to plug the vulnerability and organisations are being advised to patch their VMware products at the earliest.
“The exploitation of this vulnerability first requires that a malicious actor have access to the management interface of the device. This access can allow attackers to forge security assertion markup language (SAML) credentials to send seemingly authentic requests to gain access to protected data,” NSA said.
— NCSC UK (@NCSC) December 8, 2020
“NSA strongly recommends that NSS, DoD, and DIB system administrators apply the vendor-issued patch as soon as possible. If a compromise is suspected, check server logs and authentication server configurations as well as applying the product update. In the event that an immediate patch is not possible, system administrators should apply mitigations detailed in the advisory to help reduce risk of exploitation/compromise/attack.”
Even though NSA says that the vulnerability is being actively exploited by Russian state-sponsored actors to access protected data on affected systems, the agency has not named any specific APT group that is responsible for the exploitation.
According to VMware, the vulnerability, assigned CVE-2020-4006, affects some versions of Workspace ONE Access, Identity Manager, and Workspace ONE Access Connector. Security patches for each of these identity management products can be downloaded here.