The 9th of April VMware issued a new VMware Security Advisory (VMSA) VMSA-2020-0006. This Security Advisory discusses CVE-2020-3952 in length. The vulnerability received a CVSSv3 score of 10 out of 10. Which means this is a very serious security issue. This also means you should patch your vCenter Server environment as soon as possible. An update has been released to adress this sensitive information disclosure vulnerability by VMware in the form of VMware vCenter Server 6.7 U3f.

According to VMware under certain conditions a malicous attacker that has network access to an affected vCenter Server may be able to extract sensitive information from the vmdir process. The vmdird service is the VMware Directory Service that stores authentication, license, certificates and lookup information. The reason that this is possible is because the either embedded or external Platform Services Controller (PSC) does not correctly implement access controls which allows the attacker to bypass this mechanism. If an attacker would gain access to the vmdird service it might extract information that could be used to compromise the vCenter Server or other services that are dependent on the vmdird service. At the moment no PoC is available to test what kind of sensitive information could be snatched up, but looking at the VMSA it seems serious enough to start patching the environments. On the 15th of April guardicore.com released a PoC to show what this vulnerability can do. In short, if you have the LDAP port (389) open to the outside world (why?) an attacker can now simply add a user to your vsphere.local domain, make it an administrator and with this, be able to login to the environment.

Affected versions

All VMware vCenter Servers version 6.7, wether it is the vCenter Server Appliance or the Windows vCenter Server, with an embedded or external PSC are affected if they have been upgraded to version 6.7 before. This means that if you ever upgraded your vCenter from a previous release such as version 6.0 or 6.5 to version 6.7, it is affected. Unless ofcourse you are already running the 6.7 U3f patch. Just to provide everybody a quick overview I copied over the Response Matrix from the VMSA below:

ProductVersionRunningCVE IdentifierCVSSV3SeverityFixed VersionWorkaroundsAdditional Documentation
vCenter Server7.0AnyCVE-2020-3952N/AN/AUnaffectedN/AN/A
vCenter Server6.7Virtual ApplianceCVE-2020-395210.0Critical6.7u3fNoneKB78543
vCenter Server6.7WindowsCVE-2020-395210.0Critical6.7u3fNoneKB78543
vCenter Server6.5AnyCVE-2020-3952N/AN/AUnaffectedN/AN/A
VMSA-2020-0006 Affected versions table

Clean vCenter Server 6.7 installations, as well as vCenter Server installations before 6.7 U3f, with or without an embedded PSC are save and are not affected by this VMSA.

How to check if my vCenter Server is affected?

VMware also released the following KB which explains how to check if your vCenter Server installation is affected. Since not everybody is fully aware of the history a vCenter Server has had in the past, the following will help you identify the affected vCenter Servers.

  1. Login to the vCenter Server Appliance (VCSA) with root credentials.
  2. Check the vmdird service logfile
    1. Virtual Appliance Log File Location: /var/log/vmware/vmdird/vmdird-syslog.log
    2. Windows vCenter Log File Location:%ALLUSERSPROFILE%\VMWare\vCenterServer\logs\vmdird\vmdir.log
  3. Run the following command too find the line we need:
    1. Virtual Appliance: cat /var/log/vmware/vmdird/vmdird-syslog.log | grep -i "ACL MODE" -B 2 -A 2 or zgrep "ACL MODE" /var/log/vmware/vmdird/*.gz
    2. Windows vCenter: findstr /i "ACL MODE" %ALLUSERSPROFILE%\VMWare\vCenterServer\logs\vmdird\vmdir.log

If you are affected, the above command would produce the following piece of output:

2020-02-08T09:15:23.945000+00:00 info vmdird  t@139224391800576: Domain Functional Level (1)
2020-02-08T09:15:23.951451+00:00 info vmdird  t@139224391800576: VmDirKrbInit, REALM (VSPHERE.LOCAL)
2020-02-08T09:15:23.951682+00:00 info vmdird  t@139224391800576: ACL MODE: Legacy
2020-02-08T09:15:24.004334+00:00 info vmdird  t@139224391800576: VmDirBindServer() end-point type (ncalrpc), end-point name (vmdirsvc) VmDirRpcServerUseProtSeq() succeeded.
2020-02-08T09:15:24.004574+00:00 info vmdird  t@139944391800576: VmDirBindServer() end-point type (ncacn_ip_tcp), end-point name (2012) VmDirRpcServerUseProtSeq() succeeded.

As you can see above you can notice the “ACL MODE: Legacy“. If it says “Legacy” you are affected and you should patch your vCenter Server. It may be possible that this is nowhere to be found in your log files, because this log entry only comes up when you (re)start your vmdird service. If you are not sure and the log entry is not visible, just restart the vmdird process with service-control --stop vmdird and service-control --start vmdird. This should generate the line above. You can do this without downtime on the vCenter Server!

You should also be aware that this log entry will still get thrown after upgrading to vCenter 7.0 or 6.7 U3f, even after applying the patch.

Fixing the issue

Currently the only way to fix this security vulnerability is to update your vCenter Server to version 6.7 U3f. There is no workaround available at this time. If you want to update your vCenter Server Appliance, this is very easy. Just follow the below couple of steps:

  1. Login to the vCenter Server Appliance VAMI on https://vcenter.fqdn:5480
  2. Browse to the Update section.
  3. Check the available updates. If 6.7 U3f (6.7.0.43000) is available.
  4. Select the update and click on “Stage and Install”.
  5. The update will be installed and you have patched the environment.

Please don’t forget that the external PSC and the vCenter Server should be kept at the same versions to ensure compatiblity and stability and supportability! So you should update both! If you cannot patch your environment at this time, the only thing you can do to minimize risk and exposure is to lockdown the vCenter Server Appliance with firewall rules, especially the LDAP (389) port and seperate the vCenter Server Appliance from the data plain (this is always recommended!!). This will however not “fix” the issue! You are still vulnerable.

Please also read the FAQ VMware made that belongs with the VMSA just in case I missed something noteworthy.

Please also sign-up to the VMware Security Advisories HERE to be notified about future VMSA updates.


Bryan van Eeden

Bryan is an ambitious and seasoned IT professional with almost a decade of experience in designing, building and operating complex (virtual) IT environments. In his current role he tackles customers, complex issues and design questions on a daily basis. Bryan holds several certifications such as VCIX-DCV, VCAP-DCA, VCAP-DCD, V(T)SP and vSAN and vCloud Specialist badges.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *