Russian cyber actors are exploiting a vulnerability in VMware Access and Identity Manager products to access protected data on affected systems, according to a National Security Agency (NSA) security advisory released this week.
The VMware vulnerability affects the following products:
- Workspace One Access
- Access Connector
- Identity Manager
- Identity Manager Connector
To exploit the VMware vulnerability, cyber actors must have access to a device's management interface, NSA indicated. They can then forge security assertion markup language (SAML) credentials to request access to protected data.
How to Guard Against the VMware Vulnerability
NSA is urging National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators to apply vendor-provided patches to affected VMware products as soon as possible. It offers the following recommendations to guard against the VMware vulnerability:
- Understand the Vulnerability: The VMware vulnerability requires password-based access to a web interface and allows cybercriminals to execute Linux commands. As such, system administrators should leverage multi-factor authentication (MFA) and other appropriate security measures to minimize the threat's impact.
- Understand the Relevance: The VMware vulnerability enables cybercriminals to target customer and partner networks. Therefore, system administrators should identify any networks that could be affected by the vulnerability.
- Prioritize the Response: System administrators must identify which data can be accessed via vulnerable VMware products, assess the risk associated with data that cybercriminals could access and patch vulnerable products accordingly.
In addition, system administrators should review server logs and check and update service configurations to mitigate the VMware vulnerability, NSA stated. They also can leverage MFA for security credential services as needed.