Quote:Active attacks against a flaw in VMware’s Workspace One Access continue, three days after the vendor patched the vulnerability and urged customers to fix the bug (classified as a zero-day at the time). Now the U.S. National Security Agency (NSA) has escalated concerns and on Monday warned that foreign adversaries have zeroed in on exploiting – specifically VMware’s Workspace One Access and its Identity Manager products.
Those VMware products are two of 12 impacted by a command-injection vulnerability, tracked as CVE-2020-4006, and patched on Friday. At the time, VMware said there were no reports of exploitation in the wild.
According to the NSA, Russian-state threat actors are now leveraging the vulnerability to launch attacks to pilfer protected data and abuse shared authentication systems.
“The exploitation(s), via command injection, led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,” wrote the NSA in its security bulletin (PDF).
SAML stands for Security Assertion Markup Language, which is a standard used by organizations to exchange authentication and authorization data. SAML is used primarily as a means of enabling single sign-on between web domains.
“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration,” the NSA wrote. “Otherwise, SAML assertions could be forged, granting access to numerous resources. If integrating authentication servers with ADFS, NSA recommends following Microsoft’s best practices, especially for securing SAML assertions and requiring multi-factor authentication.”
Read more: https://threatpost.com/nsa-vmware-bug-un...ck/161985/
![[-]](https://www.geeks.fyi/images/collapse.png)
