VMware has issued a workaround for a Critical command injection vulnerability CVE-2020-4006 in multiple VMware products.
An attacker could exploit this vulnerability and take control of an unpatched system.
As noted in the VMware advisory VMSA-2020-0017, a command injection vulnerability CVE-2020-4006 impacts VMware Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector administrative configurator.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware explained.
Moreover, CVE-2020-4006 has a maximum CVSSv3 base score of 9.1.
After investigation, the Workspace ONE Access team determined that the possibility of exploitation can be eliminated by following workaround instructions for Linux based appliances and Windows based servers.
Finally, the VMware team added that a patch is “forthcoming.”
We will update this article as soon as VMware provides a permanent patch.
Update December 3, 2020: VMware issued an update to previously posted advisory (originally published Nov 23, 2020) with the following changes on December 3, 2020: “Updated severity, CVSSv3 scoring, acknowledgements, resolution, and notes sections in conjunction with the release of fixes for CVE-2020-4006. In addition, vIDM Connector for Windows (19.03.0.0, 19.03.0.1) has been determined to be impacted by CVE-2020-4006.”