VMWare has issued a security advisory warning of a command injection vulnerability that could allow someone with access to the VMWare Configurator admin account to issue command with unrestricted privileges on the underlying operating system.
The vulnerability (CVE-2020-4006) affects VMWare Workspace One Access, Access Connector, Identity Manage and Identify Manager Connector administrative configurator. A malicious user who already has network access and a login to the VMWare administrative configurator on port 8443 is able to leverage that to gain access to the operating system with elevated privileges.
No patches are yet available from the vendor, however mitigations are available as a temporary workaround which essentially disables the Configurator subsystem to prevent its abuse until a fix can be published by VMWare.
By exploiting this vulnerability, Systems Engineers responsible for managing a VMware environment can gain unexpected access to the underlying operating systems – a particular concern for multi-tenanted or shared cloud hosting VMWare environments.