Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Details Released for Flaw Allowing Full Control Over VMware Deployments

Cloud and data center security solutions provider Guardicore on Wednesday made available technical information on a critical VMware vCenter Server vulnerability that can be exploited by an attacker to gain full control over the targeted VMware deployment.

Cloud and data center security solutions provider Guardicore on Wednesday made available technical information on a critical VMware vCenter Server vulnerability that can be exploited by an attacker to gain full control over the targeted VMware deployment.

VMware informed customers earlier this month that it has patched a serious vulnerability affecting vCenter Server 6.7 on Windows and virtual appliances. The flaw, related to the Directory Service (vmdir), has been described as an information disclosure issue that can be leveraged to obtain sensitive data that “could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.”

VMware noted that the vulnerability, which it tracks as CVE-2020-3952, only impacts vCenter Server 6.7 installations if they were upgraded from a previous version, but not if the user directly installed version 6.7.

Few details have been made available by VMware so researchers at Guardicore have decided to analyze the patch in an effort to identify the changes made by the virtualization giant to address the vulnerability. It’s worth noting that while the cybersecurity firm has released a detailed technical analysis of how this vulnerability can be exploited, it has not released a proof-of-concept (PoC) exploit.

According to Guardicore, an attacker with network access to a vCenter Server LDAP service can create a user with full privileges on the vCenter Directory, which would give them full control over the VMware deployment.

“This is enabled due to two critical issues in vmdir’s legacy LDAP handling code: 1) A bug in a function named VmDirLegacyAccessCheck which causes it to return ‘access granted’ when permissions checks fail; 2) A security design flaw which grants root privileges to an LDAP session with no token, under the assumption that it is an internal operation,” Guardicore said in a blog post.

Guardicore researchers determined that VMware developers likely knew about some of the bugs that led to this vulnerability, but apparently they failed to take action for a long time.

“The fix to VmDirLegacyAccessCheck isn’t any more than band-aid — had VMware looked into this bug in-depth they would have found a series of issues that need to be addressed: the strange semantics of bIsAnonymousBind, the disastrous handling of pAccessToken, and, of course, the bug we started from, in VmDirLegacyAccessCheck,” the researchers explained.

“Perhaps the most distressing thing, though, is the fact that the bugfix to VmDirLegacyAccessCheck was written nearly three years ago, and is only being released now. Three years is a long time for something as critical as an LDAP privilege escalation not to make it into the release schedule — especially when it turns out to be much more than a privilege escalation,” they added.

VMware also informed customers this week that it has released patches for cross-site scripting (XSS) and open redirect vulnerabilities affecting its vRealize Log Insight product.

VMware last month released two patches for a privilege escalation vulnerability affecting the macOS version of Fusion. However, the researchers who reported the flaw to VMware said both of them were incomplete.

Related: Critical Flaw in VMware Workstation, Fusion Allows Code Execution on Host From Guest

Related: Vulnerabilities Found in VMware Tools, Workspace ONE SDK

Related: VMware Patches ESXi Vulnerability That Earned Hacker $200,000

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.