Threat Response: VMware vCenter Server vulnerability with public exploit (CVE-2020-3952)

17-04-2020

On Friday April 17th, more details regarding vulnerability with characteristic CVE-2020-3952 in VMware vCenter Server was provided [1][2][3]. Public exploit code has been made available [3]. Via this message, we would like to inform you about the threat, and the possible mitigation steps that can be taken.

Description
A vulnerability with characteristic CVE-2020-3952 is patched in VMware vCenter Server. Malicious actors with access to the network can use this vulnerability to retrieve data from VMware Directory Service.

An unauthenticated malicious actor can use the vulnerability to create new accounts with administrator rights. The vulnerability can only be exploited when the LDAP port is accessible for the malicious actor. Normally, the LDAP port should not be accessible in publicly accessible networks.

Impact
This vulnerability allows unauthenticated attackers to create new users with administrator rights.

Risk

Northwave estimates the impact of the vulnerability to be High. The probability is also High, because an exploit is publicly available [3].

Mitigation

VMware provided a patch to solve the vulnerability in VMware vCenter Server with characteristic CVE-2020-3952 [2]. Northwave advises to install this patch. Additionally, we advise to check if your vCenter is accessible through public networks. If so, please consider allowing access only from trusted networks.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://advisories.ncsc.nl/advisory?id=NCSC-2020-0269

[2]: https://www.vmware.com/security/advisories/VMSA-2020-0006.html

[3]: https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.