Overview
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker to execute commands with unrestricted privileges on the underlying operating system.
Description
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker with access to the administrative configurator on port 8443 and a valid password to execute commands with unrestricted privileges on the underlying operating system. For additional details, please see VMware's security advisory.
Impact
This could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.
Solution
The CERT/CC is currently unaware of a practical solution to this problem.
Workarounds
Please see the workarounds provided by VMware.
Acknowledgements
Thanks to VMware for coordinating this vulnerability.
This document was written by Madison Oliver.
Vendor Information
One or more vendors are listed for this advisory. Please reference the full report for more information.
References
https://www.vmware.com/security/advisories/VMSA-2020-0027.html
724367 vmware workspace access related components vulnerable command injection