Attacker Value
Very High
(4 users assessed)
Exploitability
Very High
(4 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
9

CVE-2020-3952 - VMware vCenter Server vmdir Information Disclosure

Disclosure Date: April 10, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

Add Assessment

10
Technical Analysis

Technical details on the vuln are out: https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/. It’s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I’ve confirmed it myself and added a second module.

ETA: I noted the following in an earlier response here:

The data seemed to contain secrets related to VMware’s Security Token Service (STS) for single sign-on (SSO).

So information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we’d been talking about it in work Slack. :)

Hats off to the Guardicore team for their dedicated analysis.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • vmware

Products

  • vcenter server 6.7

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis