Quote:VMware has patched a zero-day bug that was disclosed in late November – an escalation-of-privileges flaw that impacts Workspace One and other platforms, for both Windows and Linux operating systems.
VMware has also revised the CVSS severity rating for the bug to “important,” down from critical.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had originally flagged the unpatched security vulnerability on Nov. 23, which affects 12 VMware versions across its Cloud Foundation, Identity Manager, vRealize Suite Lifecycle Manager and Workspace One portfolios. It was reported to the company by the National Security Agency (NSA).
Tracked as CVE-2020-4006, the bug allows command injection, according to the company’s advisory.
“A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system,” VMware wrote in an updated advisory on Thursday.
While the bug was originally given a 9.1 out of 10 on the CVSS severity scale, further investigation showed that any attacker would need the password mentioned in the update, making it much harder to exploit effectively. Its rating is now 7.2, making it “important” rather than “critical.”
“This account is internal to the impacted products and a password is set at the time of deployment,” according to the advisory. “A malicious actor must possess this password to attempt to exploit CVE-2020-4006.”
Read more: https://threatpost.com/vmware-fix-critic...ug/161896/
![[-]](https://www.geeks.fyi/images/collapse.png)
