The U.S. National Security Agency (NSA) has released a cybersecurity advisory alert informing the public that Russian state-sponsored hackers are focusing on a flaw in VMWare virtual workspaces used to support remote working.

The flaw, labelled as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being targeted to obtain access to enterprise networks and protected data on the impacted systems.

The flaw is a command-injection flaw in the administrative configurator component of the affected products. The vulnerability can be targeted remotely by a hacker with valid details and access to the administrative configurator on port 8443. If successfully taken advantage of, a hacker would be able to execute commands with unlimited privileges on the operating system and access sensitive data.

VMWare launched a patch to address the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been impacted, along with steps to eradicate threat actors who have already exploited the vulnerability.

The flaw may not have been allocated a high priority by system managers as it was only rated by VMWare as ‘important’ severity, with a CVSS v3 base score of 7.2 out of 10 assigned to the flaw. The relatively low severity rating as a result of the fact that a valid password must be supplied to exploit the flaw and the account is internal to the impacted range of products. However, as the NSA outlined, the Russian threat actors are already exploiting the flaw using stolen details.

In attacks reviewed by the NSA, the hackers targeted the command injection flaw, installed a web shell, followed by malicious activity where SAML authentication assertions were produced and shared to Microsoft Active Directory Federation Services (ADFS), granting access to secured data.

The best manner of stopping exploitation is to apply the VMWare patch as soon as possible. If it is not possible to apply the patch, it is important to see to it that strong, unique passwords are set to safeguard from brute force attempts to reveal passwords. The NSA also advises administrators ensure the web-based management interface is not accessible via the Internet.

Strong passwords will not stop the flaw from being successfully targeted and will not provide protection if the flaw has already been exploited. NSA said: “It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.”

If linking up with authentication servers with ADFS, the NSA recommends following Microsoft’s best practices, especially for safeguarding SAML assertions. Multi-factor authentication should also be configured.

The NSA has released a workaround that can be used to stop exploitation until the patch can be applied and recommends reviewing and hardening configurations and monitoring federated authentication suppliers.

Unfortunately, spotting exploitation of the flaw can be tricky. The NSA explained in the advisory that “network-based indicators are unlikely to be effective at detecting exploitation since the activity occurs exclusively inside an encrypted transport layer security (TLS) tunnel associated with the web interface.

VMWare advises that all customers refer to VMSA-2020-0027 for information on this flaw.