CVE-2020-0027: 
NixOS vulnerability analysis and mitigation

A command injection vulnerability (CVE-2020-4006) was identified in VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector. The vulnerability was privately reported to VMware and initially disclosed on November 23, 2020, with updates following on December 3, 2020 (CERT VU, VMSA Advisory).

The vulnerability exists in the administrative configurator component of the affected VMware products. It received a CVSSv3 base score of 7.2, categorized as 'Important' severity. The vulnerability specifically affects the administrative configurator accessible on port 8443 (VMSA Advisory).

A malicious actor with network access to the administrative configurator on port 8443 and valid credentials for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system. The password for this account is set during deployment, and potential methods for credential theft are documented in T1586 of the MITRE ATT&CK database (CERT VU, VMSA Advisory).

VMware released fixes for the affected products as documented in KB81754. Additionally, workarounds were made available in KB81731 for systems where immediate patching was not possible (VMSA Advisory).

The vulnerability received attention from government security organizations, with the Cybersecurity and Infrastructure Security Agency (CISA) issuing an alert encouraging users and administrators to review the VMware Security Advisory and apply necessary workarounds (CISA Alert).