Skip to main content
close search
site logo
Dive Brief

NSA calls out Russia-backed exploit of VMware virtual workspace platform

Published Dec. 8, 2020
David Jones's headshot
Reporter
A man looks at lines of code depicted on a computer screen
sestovic via Getty Images

Dive Brief:

  • Russian state-sponsored actors are exploiting a vulnerability in VMware virtual workspace software that could allow access to protected data using compromised credentials, the National Security Agency warned in an advisory Monday. 
  • The agency urged network administrators in the Department of Defense (DOD), National Security System (NSS) and Defense Industrial Base (DIB) to take steps to mitigate the relevant servers. VMware issued a patch for the vulnerability on Dec. 3. 
  • The Palo Alto, California-based software firm said the security issue involved the on-premises version of VMware Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector, which was noted in the NSA advisory, according to a company spokesperson in an email.

Dive Insight: 

"With this vulnerability, a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," the company spokesperson said.

VMware customers were advised to visit VMSA-2020-0027 as the centralized source of information on the issue, the spokesman said. Customers were also advised to sign up for the company's Security-Announce mailing list

The company told customers to also apply the latest product updates, security patches and mitigations made available for their specific environment and contact third-party operating system vendors to determine additional actions, a practice that is often recommended. 

NSA officials declined to provide any specifics on the scope of the damage but confirmed efforts to help protect relevant parties.

The advisory is part of NSA's mission to provide timely and relevant cybersecurity guidance to our partners in the DOD, NSS and the DIB, said Neal Ziring, technical director, NSA Cybersecurity, in an email. 

Ziring would not provide any details on the time or scope of the attacks, saying the agency "does not publicly disclose details on victims of foreign malicious cyber activity." 

Any organization that uses the affected products should promptly apply the vendor released patch, Ziring said. 

Analysts noted the potential damage was something that could be contained but were also struck that the agency called out the Russian involvement in such a public and direct manner.

"Because the vulnerability requires the attacker to both be able to access the VMware system over the internet and have password-based authorized access to the system, this may be a limited set of systems that the Russians could exploit," Jamil Jaffer, senior vice president for strategy, partnerships and corporate development at IronNet. "Moreover the threat can be limited as the advisory notes, by using a strong password."

Nevertheless the disclosure of the specific Russian technique "demonstrates a willingness by NSA — potentially because of the threat posed by the vulnerability — to disclose the capability as well as to name the threat actor," he said. 

"NSA has taken some criticism in the past for its purported inaction in cases such as these, but I think it's a great example of public-private information sharing to reduce enterprise risk," said Ed Amoroso, CEO of TAG Cyber and former CSO at AT&T.

Filed Under: Vulnerability, Threats

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell