VMSA-2020-0006:VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir)
23573
14 April 2020
15 March 2020
CLOSED
CRITICAL
10.0
CVE-2020-3952
1. Impacted Products
VMware vCenter Server
2. Introduction
A sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) was privately reported to VMware. vCenter updates are available to address this vulnerability.
3. VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952)
Description
Under certain conditions[1] vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 10.0.
Known Attack Vectors
A malicious actor with network access to port 389 on an affected vmdir deployment1 may be able to extract highly sensitive information such as administrative account credentials which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication. Variant attack vectors such as creating new attacker-controlled administrative accounts are also possible.
Resolution
To remediate CVE-2020-3952 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.
Workarounds
None.
Additional Documentation
VMware has created KB78543 which details steps to determine whether or not a particular deployment is affected by CVE-2020-3952.
Notes
[1]vCenter Server 6.7 (embedded or external PSC) prior to 6.7u3f is affected by CVE-2020-3952 if it was upgraded from a previous release line such as 6.0 or 6.5. Clean installations of vCenter Server 6.7 (embedded or external PSC) are not affected.
Acknowledgements
VMware would like to thank Hynek Petrak of Schneider Electric for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vCenter | 7.0 | Any | CVE-2020-3952 | N/A | N/A | Unaffected | N/A | N/A |
| vCenter | 6.7 | Virtual Appliance | critical | None | ||||
| vCenter | 6.7 | Windows | None | |||||
| vCenter | Any | CVE-2020-3952 | N/A | N/A | Unaffected | N/A | N/A |
4. References
vCenter Server 6.7u3f:
https://my.vmware.com/web/vmware/details?productId=742&rPId=44888&downloadGroup=VC67U3F
Additional Documentation:
https://kb.vmware.com/s/article/78543
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3952
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
5. Change Log
2020-04-09 VMSA-2020-0006
Initial security advisory.
2020-04-16 VMSA-2020-0006.1
Updated 'Known Attack Vectors' section with additional details.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
[email protected]
[email protected]
[email protected]
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2020 VMware Inc. All rights reserved.