On 9th April 2020,VMware has released an advisory VMSA-2020-0006 to addressed a critical information disclosure vulnerability. CVE-2020-3952 has been assigned. Vulnerability would be exploited by attackers to compromise vCenter Server or other services that use the Directory Service (vmdir) for authentication.
vCenter Server provides a centralized platform for controlling VMware vSphere environments, it helps manage virtual infrastructure in a tremendous number of hybrid clouds, so the scope and impact of this vulnerability is quite large.
CVE-2020-3952
Under certain conditions vmdir that ships with VMware vCenter Server, as a part of an embedded or external Platform Services Controller (PSC), doesn’t correctly implement access controls. VMware has evaluated the severity of this issue to be within the Critical severity range with a maximum CVSSv3 base score of 10.0.
The vmdir is a component of VMware’s vCenter Server product, which provides centralized management of virtualized hosts and virtual machines (VMs) from a single console. According to the merchandise description “a single administrator can manage hundreds of workloads.”
These workloads are governed by a single sign-on (SSO) mechanism to be easier for administrators; instead of having to sign into each host or VM with separate credentials in order to gain visibility to it, one authentication mechanism works across the whole management console.
The vmdir in turn is a central component to the vCenter SSO (along with the Security Token Service, an administration server and vCenter Lookup Service). Also, vmdir is used for certificate management for the workloads governed by vCenter, according to VMware
As for the attack vector, “a malicious actor with network access to an affected vmdir deployment could also be allow to extract highly sensitive information,” VMware noted. In turn, this information might be used to compromise the vCenter Server itself “or other services which are dependent upon vmdir for authentication.”
vCenters affected:
vCenter Server 6.7 (embedded or external PSC) before 6.7u3f is affected by CVE-2020-3952.
Only if it was upgraded from previous versions 6.0 or 6.5. Clean installations of vCenter Server 6.7 (embedded or external PSC) aren’t affected
VMware has published KB article 78543 with additional guidance to check if a vCenter Server 6.7 deployment is affected.
How to detect Vulnerable Systems?
VMware users can determine if they are affected by searching for vmdir entries within logs because a log entry is made when the vmdir service starts stating that legacy ACL mode is enabled.
and Qualys has released QID 216222 to detect the Vulnerable vCenter Configurations.
Remediation
There are no workarounds, but administrators are encouraged to apply the patches as soon as possible.
Please refer to VMware advisory for further details
References:
https://www.vmware.com/security/advisories/VMSA-2020-0006.html
https://kb.vmware.com/s/article/78543
https://threatpost.com/critical-vmware-bug-corporate-treasure-hackers/154682/
https://securityaffairs.co/wordpress/101388/security/cve-2020-3952-vmware-vcenter-server.html
To make your Lockdown days more interesting, Please Continue to Follow Qualys ThreatProtect.
#Stay@Home
#StaySafe