Researchers have published the details of an investigation into CVE-2020-3952, a major vulnerability in VMware's vCenter that was disclosed and patched on April 9. The flaw was given a CVSS score of 10.
CVE-2020-3952 exists in VMware's Directory Service (vmdir), which is a part of VMware vCenter Server, a centralized management platform for virtualized hosts and virtual machines. Through vCenter Server, the company says, an administrator can manage hundreds of workloads. The platform uses single sign-on (SSO), which includes vmdir, Security Token Service, an administration server, and the vCenter Lookup Service. Vmdir is also used for certificate management for the workloads vCenter handles.
When VMware disclosed the vulnerability, it said vmdir "does not correctly implement access controls." An attacker with network access to port 389 on an affected vmdir deployment could potentially steal highly sensitive information such as administrative account credentials, which could be used to access a vCenter Server or another service that depends on vmdir for authentication. Noting that technical details were missing, two Guardicore researchers decided to take a deeper dive into the vulnerability.
"We wanted to get a better understanding of its risks and to see how an attacker could exploit them, so we started investigating the changes in VMware's recommended patch," which is vCenter Appliance 6.7 Update 3f, researchers JJ Lehmann and Ofri Ziv explain in a blog post on their analysis. They learned an unauthenticated attacker, with nothing more than network access to vmdir, could add an administrator account to the vCenter Directory. They implemented a proof of concept for the exploit to demonstrate a remote takeover of the entire vSphere deployment.
The critical flaw is enabled by two issues in vmdir's legacy LDAP handling code. One of these is a bug in the function VmDirLegacyAccessCheck, which causes it to return "access granted" when permissions checks fail. The second is a security design flaw that grants root privileges to an LDAP session with no token, under the assumption the request was internal. The server assumes that requests missing a token come from inside the system, they say, and as a result they should be allowed to go forward.
This vulnerability affects all instances of vCenter Server 6.7 and external 6.7 Platform Services Controllers that were upgraded from an earlier version such as 6.0 or 6.5. Clean installs are not affected.
Read more details here.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.