CVE-2020-3952 - VMware vCenter Server vmdir Information Disclosure

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

Recent assessments:

wvu-r7 at April 16, 2020 1:25pm UTC reported:

Technical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/&gt;. It’s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I’ve confirmed it myself and added a second module.

ETA: I noted the following in an earlier response here:

> The data seemed to contain secrets related to VMware’s Security Token Service (STS) for single sign-on (SSO).

So information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we’d been talking about it in work Slack. :)

Hats off to the Guardicore team for their dedicated analysis.

busterb at April 15, 2020 4:15pm UTC reported:

Technical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/&gt;. It’s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I’ve confirmed it myself and added a second module.

ETA: I noted the following in an earlier response here:

> The data seemed to contain secrets related to VMware’s Security Token Service (STS) for single sign-on (SSO).

So information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we’d been talking about it in work Slack. :)

Hats off to the Guardicore team for their dedicated analysis.

cnotin at April 16, 2020 2:20pm UTC reported:

Technical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/&gt;. It’s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I’ve confirmed it myself and added a second module.

ETA: I noted the following in an earlier response here:

> The data seemed to contain secrets related to VMware’s Security Token Service (STS) for single sign-on (SSO).

So information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we’d been talking about it in work Slack. :)

Hats off to the Guardicore team for their dedicated analysis.

hrbrmstr at April 18, 2020 11:49am UTC reported:

Technical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/&gt;. It’s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I’ve confirmed it myself and added a second module.

ETA: I noted the following in an earlier response here:

> The data seemed to contain secrets related to VMware’s Security Token Service (STS) for single sign-on (SSO).

So information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we’d been talking about it in work Slack. :)

Hats off to the Guardicore team for their dedicated analysis.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5