SkOUT Threat Advisory 0025-20:
Critical VMware Bug (CVE 2020-3952)
Our partners at SkOUT Cybersecurity have alerted us to this current threat.
There is a high severity vulnerability in VMware vCenter which could allow an attacker the ability to compromise all virtual machines on a server. The critical flaw scored a 10 out of 10 on the Common Vulnerability Scoring System, signaling a major threat. SKOUT advises updating VMware vCenter to the latest version immediately. Instructions on how to find out if your server is affected are included in the recommendations section.
Technical detail and additional information
What is the threat?
A critical information-disclosure bug exists in VMware vCenter Server version 6.7 prior to 6.7u3f, as part of an embedded or external Platform Services Controller (PSC). Specifically, the VMware Directory Service (vmdir) does not correctly implement access controls. This means that a malicious actor that has network access to a vmdir deployment that is affected by this could access any sensitive information it has access to. Additionally, this information could in turn be utilized to compromise the vCenter Server, or other services that depend on vmdir for authentication.
Why is this noteworthy?
This vulnerability has been given a 10 out of 10 on the CVSS v.3 vulnerability severity scale which means that it is extremely critical, and one of the most severe vulnerabilities ever to affect VMware. VMware is one of, if not the top choice for virtualization software for organizations of all sizes across the globe. These organizations utilize VMware vCenter Server and similar products to manage the entire organization’s virtual machines (VMs) from a singular console, governed by a single sign-on (SSO) mechanics. This simplifies administrative access to each VM or host without requiring them to authenticate to each one individually. If the access controls for this process are misconfigured or weak then the entire network of VMs, and all that they have access to, can be compromised.
What is the exposure or risk?
By leveraging this vulnerability an attacker can gain access to a wide variety of different hosts and system that are governed by vmdir. Vmdir being a central component of vCenter’s SSO and certificate management allows an attacker to compromise any and all VMs and hosts being governed by vCenter Server. If an attacker is able to access every single VM or host in this way, they would have visibility into all assets these machines have access to. What those assets are of course varies by organization, but a malicious actor having access (or even control) to the entire network managed by vCenter could lead to untold levels of damage.
What are the recommendations?
VMware has released a patch fixing this critical vulnerability, and it is strongly recommended that you upgrade vCenter Server as quickly as possible. You can find the download links for the affected versions of vCenter Server in the security advisory released by VMware below:
You can identify if your current version of vCenter Server is affected by this vulnerability by searching for vmdir entries in the logs. If your deployment is vulnerable, you will see a log entry created when the vmdir service starts which states that a legacy ACL mode is enabled. An example of what this looks like has been provided below, courtesy of VMware:
2020-04-06T17:50:41.860526+00:00 info vmdird t@139910871058176: ACL MODE: Legacy.
For more in-depth information about the recommendations, please visit the following links: