VMware has fixed a critical vulnerability (CVE-2020-3952) affecting vCenter Server, which can be exploited to extract highly sensitive information that could be used to compromise vCenter Server or other services which depend on the VMware Directory Service (vmdir) for authentication.
VMware vSphere is VMware’s cloud computing virtualization platform. vCenter Server is server management software for controlling VMware vSphere environments.
“Under certain conditions vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 10.0,” the company noted in an advisory published last week.
The vulnerability exists in vCenter Server 6.7, running on Windows or a virtual appliance, only if the installations were upgraded from a previous release line such as 6.0 or 6.5. It can be exploited by a malicious actor with network access to an affected vmdir deployment.
“Clean installations of vCenter Server 6.7 (embedded or external PSC) are not affected. vCenter Server versions 6.5. and 7.0 are unaffected,” the company pointed out.
How to fix the problem?
Administrators are advised to check whether their deployments are affected (here is how) and, if they are, update them to version 6.7u3f or 7.0.
There are no effective workarounds for this problem, though there are compensating controls admins can implement to minimize/mitigate the risk associated with it.
Bob Plankers, who works in the Cloud Platforms group at VMware, provided additional insight on those controls, on why it’s better to patch, and answered a number of questions admins may have regarding this flaw and the implementation of the fix.
CVE-2020-3952 was privately reported to VMware and there are currently no public PoC exploits for it. The company did not mention whether the flaw is being exploited in the wild, so it’s likely that it isn’t (yet).
UPDATE (April 17, 2020, 12:55 a.m. PT):