Attacker Value
Very High
(4 users assessed)
Exploitability
Very High
(4 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
9

CVE-2020-3952 - VMware vCenter Server vmdir Information Disclosure

Disclosure Date: April 10, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

Add Assessment

10
Technical Analysis

Technical details on the vuln are out: https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/. It’s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I’ve confirmed it myself and added a second module.

ETA: I noted the following in an earlier response here:

The data seemed to contain secrets related to VMware’s Security Token Service (STS) for single sign-on (SSO).

So information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we’d been talking about it in work Slack. :)

Hats off to the Guardicore team for their dedicated analysis.

6
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVSS 10 according to vendor
Technical details shared by Guardicore : from unauthenticated to admin (via LDAP). Implemented in a public exploit
MSF module to come.

3

Your Twitter thread on this was really helpful as @wvu-r7 was working through module code, thanks!

4

I actually didn’t know about the Twitter thread until @cnotin commented in the PR. :(

6

That’s collaboration @wvu-r7 🙌

2

Thanks for the help!

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • vmware

Products

  • vcenter server 6.7

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis

This site uses cookies for anonymized analytics. For more information or to change your cookie settings, view our Cookie Policy.