CVE-2020-4006: 
VMware Identity Manager Connector (Windows) vulnerability analysis and mitigation

CVE-2020-4006 is a command injection vulnerability affecting VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products. The vulnerability was initially disclosed on November 23, 2020, after being privately reported to VMware by the National Security Agency (NSA). The affected products include VMware Workspace One Access, VMware Identity Manager (vIDM), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager running on both Linux and Windows operating systems (VMware Advisory).

The vulnerability exists in the administrative configurator component and received a CVSSv3 base score of 7.2. Initially rated at 9.1, the score was later revised down after determining the scope of impact was more limited. The vulnerability requires network access to the administrative configurator on port 8443 and valid administrator credentials for successful exploitation (VMware Advisory, Tenable Blog).

Successful exploitation allows an attacker to execute commands with unrestricted privileges on the underlying operating system. The vulnerability enables attackers to install web shells for remote administration and potentially access protected data by sending forged Security Assertion Markup Language (SAML) authentication assertions to Microsoft Active Directory Federation Services (ADFS) (Tenable Blog).

VMware released patches to address CVE-2020-4006 in the administrative configurator. Before applying patches, VMware recommends backing up specific folders on both Linux (/opt/vmware/horizon/workspace/webapps/cfg and /opt/vmware/horizon/workspace/webapps/hc) and Windows (INSTALLLOCATION\opt\vmware\horizon\workspace\webapps\cfg and INSTALLLOCATION\opt\vmware\horizon\workspace\webapps\hc) installations (VMware Advisory).