Security Experts:

Details Released for Flaw Allowing Full Control Over VMware Deployments

Cloud and data center security solutions provider Guardicore on Wednesday made available technical information on a critical VMware vCenter Server vulnerability that can be exploited by an attacker to gain full control over the targeted VMware deployment.

VMware informed customers earlier this month that it has patched a serious vulnerability affecting vCenter Server 6.7 on Windows and virtual appliances. The flaw, related to the Directory Service (vmdir), has been described as an information disclosure issue that can be leveraged to obtain sensitive data that “could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.”

VMware noted that the vulnerability, which it tracks as CVE-2020-3952, only impacts vCenter Server 6.7 installations if they were upgraded from a previous version, but not if the user directly installed version 6.7.

Few details have been made available by VMware so researchers at Guardicore have decided to analyze the patch in an effort to identify the changes made by the virtualization giant to address the vulnerability. It’s worth noting that while the cybersecurity firm has released a detailed technical analysis of how this vulnerability can be exploited, it has not released a proof-of-concept (PoC) exploit.

According to Guardicore, an attacker with network access to a vCenter Server LDAP service can create a user with full privileges on the vCenter Directory, which would give them full control over the VMware deployment.

“This is enabled due to two critical issues in vmdir’s legacy LDAP handling code: 1) A bug in a function named VmDirLegacyAccessCheck which causes it to return ‘access granted’ when permissions checks fail; 2) A security design flaw which grants root privileges to an LDAP session with no token, under the assumption that it is an internal operation,” Guardicore said in a blog post.

Guardicore researchers determined that VMware developers likely knew about some of the bugs that led to this vulnerability, but apparently they failed to take action for a long time.

“The fix to VmDirLegacyAccessCheck isn’t any more than band-aid — had VMware looked into this bug in-depth they would have found a series of issues that need to be addressed: the strange semantics of bIsAnonymousBind, the disastrous handling of pAccessToken, and, of course, the bug we started from, in VmDirLegacyAccessCheck,” the researchers explained.

“Perhaps the most distressing thing, though, is the fact that the bugfix to VmDirLegacyAccessCheck was written nearly three years ago, and is only being released now. Three years is a long time for something as critical as an LDAP privilege escalation not to make it into the release schedule — especially when it turns out to be much more than a privilege escalation,” they added.

VMware also informed customers this week that it has released patches for cross-site scripting (XSS) and open redirect vulnerabilities affecting its vRealize Log Insight product.

VMware last month released two patches for a privilege escalation vulnerability affecting the macOS version of Fusion. However, the researchers who reported the flaw to VMware said both of them were incomplete.

Related: Critical Flaw in VMware Workstation, Fusion Allows Code Execution on Host From Guest

Related: Vulnerabilities Found in VMware Tools, Workspace ONE SDK

Related: VMware Patches ESXi Vulnerability That Earned Hacker $200,000

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.