CVE-2020-4006

What is VMware Workspace ONE Access?

VMware Workspace ONE Access (formerly VMware Identity Manager) is an identity and access management platform that provides SSO (Single Sign-On) and multi-factor authentication for enterprise applications. It issues SAML tokens that federated services trust to authenticate users — when an application receives a valid SAML token from Workspace ONE Access, it grants the asserted user access without additional authentication. The administrative configurator (port 8443) is a web interface for initial setup and configuration of the Workspace ONE Access appliance. Because Workspace ONE Access is the trust anchor for enterprise SSO, compromising it allows forging authentication tokens accepted by any service that trusts it.

Overview

CVE-2020-4006 is a command injection vulnerability (CWE-78) in VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector. An attacker with access to the administrative configurator on port 8443 and a valid configurator administrator password can inject OS commands through the configurator interface, executing them with unrestricted privileges on the underlying OS. The NSA published a cybersecurity advisory in December 2020 attributing exploitation of CVE-2020-4006 to Russian SVR (Foreign Intelligence Service) actors for forging SAML tokens to access federated government data. VMSA-2020-0027 patches were released November 23, 2020.

Affected Versions

Technical Details

• Root cause: OS command injection (CWE-78) in the administrative configurator on port 8443 — the configurator accepts management commands via HTTP parameters; certain parameters are passed to shell commands without proper sanitization; an authenticated attacker injects shell metacharacters into these parameters to execute arbitrary OS commands as the highest-privilege system user
• PR:H requirement: The configurator requires authentication with the configurator administrator password (separate from the main admin credentials); NSA's advisory indicates the SVR obtained this password prior to exploitation — potentially via brute force, credential theft, or exploitation of other vulnerabilities providing access to the appliance
• Scope: Changed (S:C): Code execution on the identity management appliance affects resources beyond the configurator itself — specifically, compromising the SAML signing keys and token issuance infrastructure impacts all federated services that trust Workspace ONE Access; one compromised appliance enables access to dozens or hundreds of applications
• SAML token forgery: The primary NSA-attributed exploitation technique: code execution on the Workspace ONE Access appliance gives access to the SAML signing certificate private key; with this key, the SVR forged SAML tokens asserting arbitrary user identities, bypassing MFA and authentication for any service accepting Workspace ONE Access tokens — including cloud services, VPNs, and enterprise applications
• NSA attribution: The December 2020 NSA advisory is unusual in explicitly naming the Russian SVR and documenting the exact exploitation technique — SAML forgery via identity provider compromise — indicating significant intelligence visibility into the active exploitation campaign

Discovery

VMware identified and patched CVE-2020-4006 in VMSA-2020-0027 (November 23, 2020). The NSA's December 7, 2020 advisory revealed ongoing exploitation by Russian SVR actors using the vulnerability for SAML token forgery against US government targets, providing the exploitation context that made this a high-priority KEV candidate.

Exploitation Context

CVE-2020-4006's exploitation by Russian SVR (Cozy Bear/APT29) for SAML token forgery represents a sophisticated attack technique against identity infrastructure. Rather than targeting individual user accounts, the SVR compromised the identity provider itself — allowing persistent, detection-resistant access using forged authentication tokens trusted by all federated services. This technique scales: a single identity provider compromise yields access to all applications in the federation. Government agencies and enterprises running Workspace ONE Access for SSO without adequate configurator access controls were particularly exposed.

Remediation

1. Apply VMSA-2020-0027 patches for all affected VMware identity products — patching removes the command injection vulnerability
2. Change the administrative configurator password immediately — rotate any credentials that may have been used to authenticate to the vulnerable configurator
3. Investigate for SAML token forgery: review authentication logs for all services federated with Workspace ONE Access for anomalous login patterns; look for authentications that lack MFA evidence but claim trusted user identities
4. Audit SAML signing certificate usage: if the signing certificate private key may have been exposed, rotate the certificate and re-establish trust with all federated service providers
5. Restrict network access to port 8443 (configurator) to specific administrator management hosts only — the configurator should never be accessible from untrusted networks
6. Implement certificate pinning or mutual TLS for service provider connections to Workspace ONE Access to detect forged tokens