Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

VMware Patches Serious Flaws in vRealize Operations for Horizon Adapter

VMware has patched serious vulnerabilities, including remote code execution and authentication bypass issues, in vRealize Operations for Horizon Adapter.

VMware has patched serious vulnerabilities, including remote code execution and authentication bypass issues, in vRealize Operations for Horizon Adapter.

VMware vRealize Operations is designed to deliver operational insights in an effort to simplify and automate the management of applications and infrastructure across virtual, physical and cloud environments. Horizon Adapter instances created on vRealize Operations Manager nodes enable users to receive communications from Horizon agents installed on virtual machines.

An Trinh of the cyber security division at Viettel, Vietnam’s largest telecommunications service provider, discovered that vRealize Operations for Horizon Adapter is affected by three vulnerabilities.

SecurityWeek reached out to Trinh for more information on the vulnerabilities, but the researcher said he did not want to share any additional details at this time.

According to VMware, the most serious of the flaws, tracked as CVE-2020-3943 and classified as critical, can allow remote code execution. The vulnerability can be exploited by an unauthenticated attacker with network access to vRealize Operations, with the Horizon Adapter running.

“vRealize Operations for Horizon Adapter uses a JMX RMI service which is not securely configured,” VMware said in an advisory.

The second vulnerability, tracked as CVE-2020-3944 and rated high severity, allows an unauthenticated attacker with access to the network to bypass Adapter authentication. VMware has blamed the vulnerability on “an improper trust store configuration.”

The third security hole uncovered by Trinh is an information disclosure issue caused by “incorrect pairing implementation between the vRealize Operations for Horizon Adapter and Horizon View.”

According to VMware, which classified this vulnerability as medium severity, an unauthenticated attacker may be able to obtain sensitive information that they can leverage to bypass the Adapter’s authentication mechanism.

All vulnerabilities affect vRealize Operations for Horizon Adapter 6.6.x and 6.7.x on Windows, and they have been patched with the release of versions 6.6.1 and 6.7.1. No workarounds are available.

Related: Vulnerabilities Found in VMware Tools, Workspace ONE SDK

Related: VMware Patches ESXi Vulnerability That Earned Hacker $200,000

Related: VMware Patches Six Vulnerabilities in Various Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.