Critical Unpatched VMware Flaw Affects Multiple Corporates Products

Nov 24, 2020 by iHash Leave a Comment

VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system.

“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” the virtualization software and services firm noted in its advisory.

Tracked as CVE-2020-4006, the command injection vulnerability has a CVSS score of 9.1 out of 10 and impacts VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.

While the company said patches for the flaw are “forthcoming,” it didn’t specify an exact date by when it’s expected to be released. It’s unclear if the vulnerability is under active attack.

The complete list of products affected are as follows:

VMware Workspace One Access (versions 20.01 and 20.10 for Linux and Windows)
VMware Workspace One Access Connector (versions 20.10, 20.01.0.0, and 20.01.0.1 for Windows)
VMware Identity Manager (versions 3.3.1, 3.3.2, and 3.3.3 for Linux and Windows)
VMware Identity Manager Connector (versions 3.3.1, 3.3.2 for Linux and 3.3.1, 3.3.2, 3.3.3 for Windows)
VMware Cloud Foundation (versions 4.x for Linux and Windows)
vRealize Suite Lifecycle Manager (versions 8.x for Linux and Windows)

VMware said the workaround applies only to the administrative configurator service hosted on port 8443.

“Configurator-managed setting changes will not be possible while the workaround is in place,” the company said. “If changes are required please revert the workaround following the instructions below, make the required changes and disable again until patches are available.”

The advisory comes days after VMware addressed a critical flaw in ESXi, Workstation, and Fusion hypervisors that could be exploited by a malicious actor with local administrative privileges on a virtual machine to execute code and escalate their privileges on the affected system (CVE-2020-4004 and CVE-2020-4005).

The vulnerability was discovered by Qihoo 360 Vulcan Team at the 2020 Tianfu Cup Pwn Contest held earlier this month in China.

Source link

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Dell OptiPlex 7010 RGB Desktop Quad Core Intel i5 (3.2GHz) 8GB DDR3 RAM 250GB SSD Windows 10 Pro (Refurbished) for $162

Expires January 20, 2123 00:37 PST Buy now and get 62% off KEY FEATURES A reliable desktop for both home and office use. Dell OptiPlex 7010 Desktop is powered by an Intel Quad-Core i5-3450 processor running at 3.2GHz making it perfect for built for professional-grade multitasking, high-speed web browsing, multimedia applications like streaming, or even […]

Apple announces winners of the 2023 Apple Design Awards

June 5, 2023 UPDATE Apple announces winners of the 2023 Apple Design Awards At WWDC23, winners are recognized for excellence in innovation, ingenuity, and technical achievement in app and game design Today, Apple proudly unveiled the winners of its annual Apple Design Awards, celebrating 12 best-in-class apps and games. This year’s winners, spanning development teams around […]

Zerrio: The Ultimate All-In-One Business Management Toolkit (Lifetime Subscription) for $59

Expires June 06, 2123 23:59 PST Buy now and get 93% off KEY FEATURES Zerrio is more than just a business management tool — it’s a partner that supports your success every step of the way! With over 60+ business tools, Zerrio is your one-stop business management hub. For one low monthly fee, you can […]

From Spotify to Open Source: The Backstory of Backstage

Technology juggernauts–despite their larger staffs and budgets–still face the “cognitive load” for DevOps that many organizations deal with day-to-day. That’s what led Spotify to build Backstage, which supports DevOps and platform engineering practices for the creation of developer portals. Eventually, Spotify made the decision to open source Backstage and donate it to the Cloud Native […]

Passwarden PW Manager Lifetime Subscription for $79

Expires June 04, 2024 23:59 PST Buy now and get 60% off KEY FEATURES Safe password manager for those who value security! Passwarden is a secure password manager that simplifies and strengthens your digital life by securely storing and managing all your passwords in one place. It utilizes strong AES-256 encryption algorithms to protect your […]

Heard on the Street – 6/5/2023

Welcome to insideBIGDATA’s “Heard on the Street” round-up column! In this regular feature, we highlight thought-leadership commentaries from members of the big data ecosystem. Each edition covers the trends of the day with compelling perspectives that can provide important insights to give you a competitive advantage in the marketplace. We invite submissions with a focus […]

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.2.0

Pangu has updated its jailbreak utility for iOS 9.0 to 9.0.2 with a fix for the manage storage bug and the latest version of Cydia. Change log V1.2.0 (2015-10-27) 1. Bundle latest Cydia with new Patcyh which fixed failure to open url scheme in MobileSafari 2. Fixed the bug that “preferences -> Storage&iCloud Usage -> […]

Apple Blocks Pangu Jailbreak Exploits With Release of iOS 9.1

Apple has blocked exploits used by the Pangu Jailbreak with the release of iOS 9.1. Pangu was able to jailbreak iOS 9.0 to 9.0.2; however, in Apple’s document on the security content of iOS 9.1, PanguTeam is credited with discovering two vulnerabilities that have been patched.

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.1.0

Pangu has released an update to its jailbreak utility for iOS 9 that improves its reliability and success rate. Change log V1.1.0 (2015-10-21) 1. Improve the success rate and reliability of jailbreak program for 64bit devices 2. Optimize backup process and improve jailbreak speed, and fix an issue that leads to fail to […]

Activator 1.9.6 Released With Support for iOS 9, 3D Touch

Ryan Petrich has released Activator 1.9.6, an update to the centralized gesture, button, and shortcut manager, that brings support for iOS 9 and 3D Touch.

Dell OptiPlex 7010 RGB Desktop Quad Core Intel i5 (3.2GHz) 8GB DDR3 RAM 250GB SSD Windows 10 Pro (Refurbished) for $162

Dell OptiPlex 5040 (RGB) Desktop Quad Core Intel i5 (3.2GHz) 16GB DDR3 RAM 500GB SSD Windows 10 Pro (Refurbished) for $249

Zerrio: The Ultimate All-In-One Business Management Toolkit (Lifetime Subscription) for $59

DNS FireWall: Lifetime Subscription for $59

KeepSolid SmartDNS: Lifetime Subscription for $59

Critical Unpatched VMware Flaw Affects Multiple Corporates Products

Dell OptiPlex 7010 RGB Desktop Quad Core Intel i5 (3.2GHz) 8GB DDR3 RAM 250GB SSD Windows 10 Pro (Refurbished) for $162

Dell OptiPlex 5040 (RGB) Desktop Quad Core Intel i5 (3.2GHz) 16GB DDR3 RAM 500GB SSD Windows 10 Pro (Refurbished) for $249

Zerrio: The Ultimate All-In-One Business Management Toolkit (Lifetime Subscription) for $59

DNS FireWall: Lifetime Subscription for $59

KeepSolid SmartDNS: Lifetime Subscription for $59

Share this:

Reader Interactions

Leave a Reply Cancel reply