A recently released National Security Agency (NSA) Cybersecurity Advisory maintains Russian entities have exploited virtual workspace vulnerability in VMware products to access protected data on affected systems.
The advisory details the importance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators to apply vendor-provided patches, as soon as possible, to impacted VMware identity management products.
Authorities indicated the process involving a suspected compromise focuses on checking server logs and authentication server configurations, in addition to applying the product update. If an immediate patch is not possible, system administrators would apply mitigations detailed in the advisory to reduce the risk of exploitation, compromise, and attack.
The advisory indicates password-based access to the web-based management interface of the device is required to exploit the vulnerability, adding using a strong and unique password lowers the risk of exploitation.
Additionally, officials said the risk is decreased if the web-based management interface is not accessible from the internet. It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration
If integrating authentication servers with Active Directory Federation Services (ADFS), NSA recommends following Microsoft’s best practices, specifically related to securing security assertion markup language (SAML) assertions and requiring multi-factor authentication.