Dive Brief:
- Russian state-sponsored actors are exploiting a vulnerability in VMware virtual workspace software that could allow access to protected data using compromised credentials, the National Security Agency warned in an advisory Monday.
- The agency urged network administrators in the Department of Defense (DOD), National Security System (NSS) and Defense Industrial Base (DIB) to take steps to mitigate the relevant servers. VMware issued a patch for the vulnerability on Dec. 3.
- The Palo Alto, California-based software firm said the security issue involved the on-premises version of VMware Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector, which was noted in the NSA advisory, according to a company spokesperson in an email.
Dive Insight:
"With this vulnerability, a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," the company spokesperson said.
VMware customers were advised to visit VMSA-2020-0027 as the centralized source of information on the issue, the spokesman said. Customers were also advised to sign up for the company's Security-Announce mailing list.
The company told customers to also apply the latest product updates, security patches and mitigations made available for their specific environment and contact third-party operating system vendors to determine additional actions, a practice that is often recommended.
NSA officials declined to provide any specifics on the scope of the damage but confirmed efforts to help protect relevant parties.
The advisory is part of NSA's mission to provide timely and relevant cybersecurity guidance to our partners in the DOD, NSS and the DIB, said Neal Ziring, technical director, NSA Cybersecurity, in an email.
Ziring would not provide any details on the time or scope of the attacks, saying the agency "does not publicly disclose details on victims of foreign malicious cyber activity."
Any organization that uses the affected products should promptly apply the vendor released patch, Ziring said.
Analysts noted the potential damage was something that could be contained but were also struck that the agency called out the Russian involvement in such a public and direct manner.
"Because the vulnerability requires the attacker to both be able to access the VMware system over the internet and have password-based authorized access to the system, this may be a limited set of systems that the Russians could exploit," Jamil Jaffer, senior vice president for strategy, partnerships and corporate development at IronNet. "Moreover the threat can be limited as the advisory notes, by using a strong password."
Nevertheless the disclosure of the specific Russian technique "demonstrates a willingness by NSA — potentially because of the threat posed by the vulnerability — to disclose the capability as well as to name the threat actor," he said.
"NSA has taken some criticism in the past for its purported inaction in cases such as these, but I think it's a great example of public-private information sharing to reduce enterprise risk," said Ed Amoroso, CEO of TAG Cyber and former CSO at AT&T.