Security Experts:

VMware to Patch Recent Salt Vulnerabilities in vROps

VMware is working on patches for its vRealize Operations Manager (vROps) product to fix two recently disclosed Salt vulnerabilities that have already been exploited to hack organizations.

Researchers discovered recently that the configuration management and orchestration system Salt is affected by serious vulnerabilities that can be exploited for authentication bypass (CVE-2020-11651) and directory traversal (CVE-2020-11652).

Experts warned that malicious actors were likely to start targeting the flaws shortly after disclosure. A few days later, organizations started disclosing data breaches that involved exploitation of the vulnerabilities, including LineageOS, Ghost, DigiCert and Algolia.

VMware says the Application Remote Collector (ARC) functionality introduced in vROps 7.5 uses Salt. The virtualization giant has assigned a critical severity rating to the authentication bypass flaw and an important severity rating to the directory traversal issue.

“CVE-2020-11651 (Authentication Bypass) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent to. CVE-2020-11652 (Directory Traversal) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to access the entirety of the ARC filesystem,” the company said in its advisory.

The company says the vulnerabilities affect vROps 8.1.0, 8.0.x and 7.5.0, and patches “are forthcoming.” In the meantime, VMware has provided workarounds that can be implemented as a temporary solution.

Related: VMware Again Fails to Patch Privilege Escalation Vulnerability in Fusion

Related: VMware Patches Serious Flaws in vRealize Operations for Horizon Adapter

Related: VMware Patches ESXi Vulnerability That Earned Hacker $200,000

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.