Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

VMware Patches Serious Flaws in vRealize Operations for Horizon Adapter

VMware has patched serious vulnerabilities, including remote code execution and authentication bypass issues, in vRealize Operations for Horizon Adapter.

VMware has patched serious vulnerabilities, including remote code execution and authentication bypass issues, in vRealize Operations for Horizon Adapter.

VMware vRealize Operations is designed to deliver operational insights in an effort to simplify and automate the management of applications and infrastructure across virtual, physical and cloud environments. Horizon Adapter instances created on vRealize Operations Manager nodes enable users to receive communications from Horizon agents installed on virtual machines.

An Trinh of the cyber security division at Viettel, Vietnam’s largest telecommunications service provider, discovered that vRealize Operations for Horizon Adapter is affected by three vulnerabilities.

SecurityWeek reached out to Trinh for more information on the vulnerabilities, but the researcher said he did not want to share any additional details at this time.

According to VMware, the most serious of the flaws, tracked as CVE-2020-3943 and classified as critical, can allow remote code execution. The vulnerability can be exploited by an unauthenticated attacker with network access to vRealize Operations, with the Horizon Adapter running.

“vRealize Operations for Horizon Adapter uses a JMX RMI service which is not securely configured,” VMware said in an advisory.

The second vulnerability, tracked as CVE-2020-3944 and rated high severity, allows an unauthenticated attacker with access to the network to bypass Adapter authentication. VMware has blamed the vulnerability on “an improper trust store configuration.”

The third security hole uncovered by Trinh is an information disclosure issue caused by “incorrect pairing implementation between the vRealize Operations for Horizon Adapter and Horizon View.”

Advertisement. Scroll to continue reading.

According to VMware, which classified this vulnerability as medium severity, an unauthenticated attacker may be able to obtain sensitive information that they can leverage to bypass the Adapter’s authentication mechanism.

All vulnerabilities affect vRealize Operations for Horizon Adapter 6.6.x and 6.7.x on Windows, and they have been patched with the release of versions 6.6.1 and 6.7.1. No workarounds are available.

Related: Vulnerabilities Found in VMware Tools, Workspace ONE SDK

Related: VMware Patches ESXi Vulnerability That Earned Hacker $200,000

Related: VMware Patches Six Vulnerabilities in Various Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.