We have no indication that VMware has any involvement in the nation-state attack on SolarWinds. We also immediately analyzed the limited use of SolarWinds in our environment and found no evidence of exploitation.
In a separate event, earlier this month, the National Security Agency (NSA) identified a vulnerability in VMware Workspace ONE (CVE 2020-4006). We issued a security patch for this vulnerability on Dec 3, 2020, and we continue to encourage all customers to apply the latest product updates, security patches and mitigations made available for their specific environment. In addition, VMware Carbon Black and NSX have been updated to provide customers the ability to detect and prevent malicious components related to these recent breaches. Although there may be commonalities between some methodologies used in a recent intrusion into an industry network and methodologies that can be used to exploit CVE 2020-4006, at this time, we have no indications that VMware has any involvement in the nation-state attack on SolarWinds. We want to clarify that all unpatched vulnerabilities that provide initial access can be used to achieve and maintain a persistent presence in networks.
We have been longtime advocates of cyber-hygiene principles that focus on protecting mission-critical business applications and data. These basic principles have never been more important and, when adhered to, can make a meaningful difference. They include Hardening and Patching, Multi-Factor Authentication, Least Privilege, Micro-segmentation, and Behavioral-Based Threat Detection and Response.
VMware strives to provide customers with solutions that make security intrinsic to their environment, building it into their infrastructure, device management and applications, simplifying cyber hygiene, and shifting customers from a reactive posture to a position of strength. We remain committed to transparency and will update this blog post as events transpire.
For additional product information, please refer to the following blog posts.