VMware has fixed a critical vulnerability in its latest security update. The critical information-disclosure bug exists in the vCenter Server virtual infrastructure management platform.
“With vCenter Server, virtual environments are easier to manage: a single administrator can manage hundreds of workloads, more than doubling typical productivity when managing physical infrastructure,” says VMware.
The vulnerability in VMware’s Directory Service (vmdir) could allow attackers access to sensitive information and potentially take control of affected virtual appliances or Windows systems.
The vmdir is part of VMware’s vCenter Server product, which provides centralized management of virtualized hosts and virtual machines (VMs) from a single console. It is also used for certificate management for the workloads governed by vCenter.
“Under certain conditions vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 10.0,” the company noted in an advisory published last week.
The flaw tracked as CVE-2020-3952, was disclosed and patched on Thursday; the company rated it 10 out of 10 on the CVSSv3 vulnerability severity scale.
According to VMware, an exploitation “results in the complete compromise of confidentiality, integrity, and availability of user data and/or processing resources without user interaction. Exploitation could be leveraged to propagate an Internet worm or execute arbitrary code between virtual machines and/or the host operating system.”
The flaw exists in vCenter Server 6.7, running on Windows or a virtual appliance, only if the installations were upgraded from a previous release line such as 6.0 or 6.5. It can be exploited by a malicious actor with network access to an affected vmdir deployment.
“Clean installations of vCenter Server 6.7 (embedded or external PSC) are not affected. vCenter Server versions 6.5. and 7.0 are unaffected,” the company pointed out.
The vulnerability was reported privately and the company won’t reveal details to the public. There are no workarounds for this bug; VMware issued patches for vCenter Server deployments running on virtual appliances and Windows as well as published a document that outlines steps to determine whether or not a particular deployment is affected by the bug.
Secure Your Organization’s Mind with Securemind.se