Patch your Vcenter server for CVSS10.0 rated vulnerability – CVE-2020-3952

This report is about the vulnerability found in the VMWare vCenter software and recorded in CVE-ID: CVE-2020-3952. The vulnerability is caused by improper access controls affecting the VMware Directory Service. The affected version of the software is vCenter 6.7 with a patch available for this software flaw.

What is vCenter server?

vCenter Server is an application that enables you to manage your vSphere infrastructure from a centralized location. It acts as a central administration point for ESXi hosts and their respective virtual machines. A single vCenter Server instance can support a maximum of 1,000 hosts, 10,000 powered-on virtual machines and 15,000 registered virtual machines.

vCenter Server enables IT administrators to centrally manage virtualized hosts and virtual machines in enterprise environments from a single console. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security alert regarding this product on April 10, 2020.

CVE-2020-3952 and its technical details

The root cause of this vulnerability is the improper implementation of access controls allowing a bad actor to extract highly sensitive information from the VMware Directory Service (vmdir). When this software flaw is successfully exploited, a bad actor with network access can target the authentication mechanisms within vCenter. The vulnerability affects both the vCenter Server Appliance and the vCenter Server on Windows. This software flaw only exists in vCenter version 6.7.

CVE-2020-3952 in VMware vCenter Server was privately reported to the vendor by a security researcher and is now rated with a CVE index of 10. The issue is that vmdir, which ships with VMware vCenter Server as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls under certain conditions as explained above.

Affected products

VMware vCenter Server (Not all version numbers).

Impact

  • This vulnerability could result in the loss of sensitive information which may lead to the compromise of a critical asset.
  • There’s a strong possibility that a bad actor may be able to bypass the authentication mechanisms of the vCenter Server and gain full control of the affected host.
  • If control is lost, the bad actor could make changes to the host and extract valuable data from the virtual machines residing on the deployment.

How to determine if version number 6.7 deployment is affected from this vulnerability or not?

Look for its log entry as affected deployments will create a log entry when the vmdir service starts stating that legacy ACL mode is enabled.

  • Virtual Appliance Log File Location: /var/log/vmware/vmdird/vmdird-syslog.log
  • Windows Log File Location: %ALLUSERSPROFILE%\VMWare\vCenterServer\logs\vmdird\vmdir.log

Example:
2020-04-06T17:50:41.859003+00:00 info vmdird  t@139910871058176: Domain Functional Level (1)
2020-04-06T17:50:41.859668+00:00 info vmdird  t@139910871058176: VmDirKrbInit, REALM (VSPHERE.LOCAL)
2020-04-06T17:50:41.860526+00:00 info vmdird  t@139910871058176: ACL MODE: Legacy
2020-04-06T17:50:41.864522+00:00 info vmdird  t@139910871058176: VmDirBindServer() end-point type (ncalrpc), end-point name (vmdirsvc) VmDirRpcServerUseProtSeq() succeeded.

Note: Because the ACL MODE: Legacy line is only thrown at vmdir startup,  it is possible that this entry will be absent due to log file rollover even on affected deployments.

Mitigation / Recommendation

VMware released vCenter Server version number 6.7u3f to address this vulnerability. The following table shows the affected versions of vCenter Server.

ProductVersionRunning OnCVE IdentifierCVSSV3SeverityFixed VersionWorkaroundsAdditional Documentation
vCenter Server7.0AnyCVE-2020-3952N/AN/AUnaffectedN/AN/A
vCenter Server6.7Virtual ApplianceCVE-2020-395210.0Critical6.7u3fNoneKB78543
vCenter Server6.7WindowsCVE-2020-395210.0Critical6.7u3fNoneKB78543
vCenter Server6.5AnyCVE-2020-3952N/AN/AUnaffectedN/AN/A
Vmware product’s verison number and patched version number

According to VMware’s advisory, the vulnerability only affects specific versions of vCenter Server versions 6.7. Specifically, those instances where vCenter Server was upgraded from a previous version, including version 6.0 or 6.5. A new and clean installation of vCenter Server 6.7 is not affected.

References

2 thoughts on “Patch your Vcenter server for CVSS10.0 rated vulnerability – CVE-2020-3952”

Leave a Comment

Your e-mail address will not be published. Required fields are marked *