Attacker Value
Very High
5

CVE-2020-3952 – VMware vCenter Server vmdir Information Disclosure

Disclosure Date: April 10, 2020

Exploitability

(4 users assessed) Very High
Attack Vector
Network
Privileges Required
None
User Interaction
None

Description

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

Add Assessment

10
Technical Analysis

Technical details on the vuln are out: https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/. It’s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I’ve confirmed it myself and added a second module.

ETA: I noted the following in an earlier response here:

The data seemed to contain secrets related to VMware’s Security Token Service (STS) for single sign-on (SSO).

So information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we’d been talking about it in work Slack. :)

Hats off to the Guardicore team for their dedicated analysis.

General Information

Products

  • VMware vCenter Server

Additional Info

Technical Analysis