A critical vulnerability in VMware’s vCenter management product allowed any old bod on the same network to remotely create an admin-level user, research by Guardicore Labs has revealed.
The astonishing vuln (CVE-2020-3952), details of which were quite spare when VMWare issued a patch last week, was rated by VMware itself as CVSS v3 10.0, the highest level.
Admins in charge of VMware estates should probably patch this one immediately, if they haven’t already.
Guardicore researcher JJ Lehman told The Register: “You have to be network accessible but you don’t have to be authenticated in any way to pull this off. Which means as an attacker who has already breached the perimeter of a network, as long as [you have] access to the vCenter, you essentially control everything on their VMware hosts.”
The virtualization vendor issued an advisory note and patch on 9 April that explained that a “malicious actor with network access to port 389 on an affected vmdir deployment may be able to extract highly sensitive information such as administrative account credentials”.
“It’s very unique,” Guardicore head of research Ofri Ziv told The Reg, explaining that the 10.0 CVSS impact rating on an enterprise virtualization product caught his enterprise security team’s eye. “This is why this is such a critical issue and this is why we believe it’s important for people to understand and mitigate it as fast as possible.”
He added that Guardicore had not seen evidence of the vuln being abused in the wild, though Lehman explained that by its nature, it would be difficult to see traces of its use.
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft