Critical VMware Bug Opens Up Corporate Treasure to Hackers


The bug — rated 10 in severity — potentially affects large numbers of corporate VMs and hosts.

A critical information-disclosure bug in VMware’s Directory Service (vmdir) could lay bare the contents of entire corporate virtual infrastructures, if exploited by cyberattackers.

The vmdir is part of VMware’s vCenter Server product, which provides centralized management of virtualized hosts and virtual machines (VMs) from a single console. According to the product description, “a single administrator can manage hundreds of workloads.”

These workloads are governed by a single sign-on (SSO) mechanism to make things easier for administrators; rather than having to sign into each host or VM with separate credentials in order to gain visibility to it, one authentication mechanism works across the entire management console.

The vmdir in turn is a central component to the vCenter SSO (along with the Security Token Service, an administration server and vCenter Lookup Service). Also, vmdir is used for certificate management for the workloads governed by vCenter, according to VMware.

The critical flaw (CVE-2020-3952) was disclosed and patched on Thursday; it rates 10 out of 10 on the CVSS v.3 vulnerability severity scale. At issue is a poorly implemented access control, according to the bug advisory, which could allow a malicious actor to bypass authentication mechanisms.

“Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls,” the description explained.

As for the attack vector, “a malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information,” VMware noted. In turn, this information could be used to compromise the vCenter Server itself “or other services which are dependent upon vmdir for authentication.”

There are no workarounds, but administrators are encouraged to apply the patches as soon as possible.

vCenter Server 6.7 (embedded or external PSC) prior to 6.7u3f is affected by CVE-2020-3952 if it was upgraded from a previous release line such as 6.0 or 6.5. Clean installations of vCenter Server 6.7 (embedded or external PSC) are not affected, according to the company. To help administrators find out if their vmdir deployments are affected by CVE-2020-3952, the vendor has published a how-to knowledge base document.

“VMware, one of, if not the most, popular virtualization software companies in the world, recently patched an extremely critical information disclosure vulnerability…one of the most severe vulnerabilities that has affected VMware software,” Chris Hass, director of information security and research at Automox, told Threatpost. “vCenter Server provides a centralized platform for controlling VMware vSphere environments, it helps manage virtual infrastructure in a tremendous number of hybrid clouds, so the scope and impact of this vulnerability is quite large. Organizations using vCenter need to check their vmdir logs for affected versions, ACL MODE: legacy, and patch immediately.”

No specific acknowledgments were given for the bug discovery – VMware noted only that it was “disclosed privately.”

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.


Suggested articles