Researchers Explore Details of Critical VMware Vulnerability

The vCenter vulnerability, patched on April 9, could give an intruder access to administrative credentials in three steps.

Researchers have published the details of an investigation into CVE-2020-3952, a major vulnerability in VMwares vCenter that was disclosed and patched on April 9. The flaw was given a CVSS score of 10.
CVE-2020-3952 exists in VMwares Directory Service (vmdir), which is a part of VMware vCenter Server, a centralized management platform for virtualized hosts and virtual machines. Through vCenter Server, the company
says
, an administrator can manage hundreds of workloads. The platform uses single sign-on (SSO), which includes vmdir, Security Token Service, an administration server, and the vCenter Lookup Service. Vmdir is also used for certificate management for the workloads vCenter handles.
When VMware disclosed the vulnerability, it said vmdir does not correctly implement access controls. An attacker with network access to port 389 on an affected vmdir deployment could potentially steal highly sensitive information such as administrative account credentials, which could be used to access a vCenter Server or another service that depends on vmdir for authentication. Noting that technical details were missing, two Guardicore researchers decided to take a deeper dive into the vulnerability.
We wanted to get a better understanding of its risks and to see how an attacker could exploit them, so we started investigating the changes in VMwares recommended patch, which is vCenter Appliance 6.7 Update 3f, researchers JJ Lehmann and Ofri Ziv explain in a blog post on their analysis. They learned an unauthenticated attacker, with nothing more than network access to vmdir, could add an administrator account to the vCenter Directory. They implemented a proof of concept for the exploit to demonstrate a remote takeover of the entire vSphere deployment.
The critical flaw is enabled by two issues in vmdirs legacy LDAP handling code. One of these is a bug in the function VmDirLegacyAccessCheck, which causes it to return access granted when permissions checks fail. The second is a security design flaw that grants root privileges to an LDAP session with no token, under the assumption the request was internal. The server assumes that requests missing a token come from inside the system, they say, and as a result they should be allowed to go forward.
This vulnerability affects all instances of vCenter Server 6.7 and external 6.7 Platform Services Controllers that were upgraded from an earlier version such as 6.0 or 6.5. Clean installs are not affected.
Read more details
here
.
A listing of
free products and services
compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Explore Details of Critical VMware Vulnerability