New Vulnerabilities in VMware products could allow an attacker to exploit the installed system

Certain releases of Workspace ONE Access, Identity Manager, and Workspace One Access Adapter have been determined to impact CVE-2020-4006. In VMSA-2020-0027, this vulnerability and its effect on VMware products are reported. Before proceeding.

Tuesday, November 24, 2020, 08:55 GMT

Affected Product versions:

  • VMware Workspace One Access    20.10 (Linux)
  • VMware Workspace One Access    20.01 (Linux)
  • VMware Identity Manager    3.3.3 (Linux)
  • VMware Identity Manager    3.3.2 (Linux)
  • VMware Identity Manager    3.3.1 (Linux)
  • VMware Identity Manager Connector 3.3.2, 3.3.1 (Linux)
  • VMware Identity Manager Connector 3.3.3, 3.3.2, 3.3.1 (Windows)

Alert
This workaround refers ONLY to VMware Workspace One Entry, VMware Identity Manager and Connector of VMware Identity Manager. Do not extend this solution to other products from VMware.

Impacts in Features
For the configurator hosted on port 8443, this workaround is important. Impacts are confined to the features offered by this service. Changes to configurator-managed configurations won’t be possible when the fix is in place. Please revert the workaround following the instructions below if adjustments are needed, make the required changes, and deactivate again before updates are available. Furthermore, it will not view any of the device diagnostics dashboard.

To implement the workaround for CVE-2020-4006 perform the following steps below. Please note the product operating system.

1. Implement workaround for Linux based appliances

  1. Use SSH to connect to appliance using “sshuser” credentials configured during installation or updated later.
  2. Switch to root by typing su and provide “root” credentials configured during installation or updated later.
  3. Run the following commands:

    cd /opt/vmware/horizon/workspace
    mkdir webapps.tmp
    mv webapps/cfg webapps.tmp
    mv conf/Catalina/localhost/cfg.xml webapps.tmp
    service horizon-workspace restart 

    Repeat steps for all Linux based appliances affected by CVE-2020-4006.

2. Implement workaround for Windows based servers

  1. Log in as Administrator.
  2. Open a Command Prompt window and run the following commands:

    net stop “VMwareIDMConnector”
    cd \VMware\VMwareIdentityManager\Connector\opt\vmware\horizon\workspace
    mkdir webappstmp
    move webapps\cfg webappstmp
    move conf\Catalina\localhost\cfg.xml webappstmp
    net start “VMwareIDMConnector”

    Repeat steps for all Windows based servers affected by CVE-2020-4006.

References:
kb.vmware.com/