VMSA-2020-0025:VMware SD-WAN Orchestrator updates address multiple security vulnerabilities
23582
16 November 2020
16 November 2020
CLOSED
HIGH
6.3- 7.5
CVE-2020-3984,CVE-2020-3985,CVE-2020-4000,CVE-2020-4001,CVE-2020-4002,CVE-2020-4003
1. Impacted Products
VMware SD-WAN Orchestrator (SD-WAN Orchestrator)
2. Introduction
Multiple vulnerabilities in SD-WAN Orchestrator were privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products. VMware-hosted SD-WAN Orchestrators have been patched for these issues.
3a. SQL injection vulnerability due to improper input validation (CVE-2020-3984)
Description
The SD-WAN Orchestrator does not apply correct input validation which allows for SQL-injection. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
Known Attack Vectors
An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access.
Resolution
To remediate CVE-2020-3984 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| SD-WAN Orchestrator | 4.x | Any | CVE-2020-3984 | important | Not affected | N/A | N/A | |
| SD-WAN Orchestrator | 3.x | N/A | CVE-2020-3984 | important | 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA | None | None |
3b. Directory traversal file execution (CVE-2020-4000)
Description
The SD-WAN Orchestrator allows for executing files through directory traversal. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
Known Attack Vectors
An authenticated SD-WAN Orchestrator user is able to traversal directories which may lead to code execution of files.
Resolution
To remediate CVE-2020-4000 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| SD-WAN Orchestrator | 4.x | Linux | CVE-2020-4000 | moderate | 4.0.1 | None | None | |
| SD-WAN Orchestrator | 3.x | Linux | CVE-2020-4000 | moderate | 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA | None | None |
3.c Default passwords Pass-the-Hash Attack (CVE-2020-4001
Description
The SD-WAN Orchestrator has default passwords allowing for a Pass-the-Hash Attack. VMware has evaluated the severity of this issue to be in the moderate severity range.
Known Attack Vectors:
SD-WAN Orchestrator ships with default passwords for predefined accounts which may lead to to a Pass-the-Hash attack.
Note: The same salt is used in conjunction with the default password of predefined accounts on freshly installed systems allowing for for Pass-the-Hash-Attacks. That same system could be accessed by an attacker using the default password for the predefined account.
Resolution:
To remediate CVE-2020-4001, change the default passwords of the preconfigured accounts on SD-WAN Orchestrator before production use.
Workarounds:
None
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us.
Notes
Note.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| SD-WAN Orchestrator | 4.x | Linux | CVE-2020-4001 | n/a | moderate | See Resolution section | None | None |
| SD-WAN Orchestrator | 3.x | Linux | CVE-2020-4001 | N/A | moderate | See Resolution section | None | None |
3.d API endpoint privilege escalation (CVE-2020-3985)
Description:
The SD-WAN Orchestrator allows an access to set arbitrary authorization levels leading to a privilege escalation issue. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
Known Attack Vectors:
An authenticated SD-WAN Orchestrator user may exploit an application weakness and call a vulnerable API to elevate their privileges.
Resolution:
To remediate CVE-2020-3985, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Christopher Schneider - Penetration Test Analyst at State Farm for reporting this issue to us.
Notes:
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| SD-WAN Orchestrator | 4.x | Linux | CVE-2020-3985 | important | Not affected. | N/A | N/A | |
| SD-WAN Orchestrator | 3.x | Linux | CVE-2020-3985 | important | 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA | None | None |
3.e Unsafe handling of system parameters (CVE-2020-4002)
Description:
The SD-WAN Orchestrator handles system parameters in an insecure way. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.
Known Attack Vectors:
An authenticated SD-WAN Orchestrator user with high privileges may be able to execute arbitrary code on the underlying operating system.
Resolution:
To remediate CVE-2020-4002, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgements:
VMware would like to thank Christopher Schneider, Cory Billington and Nicholas Spagnola - Penetration Test Analysts at State Farm for reporting this issue to us.
Notes:
None
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| SD-WAN Orchestrator | 4.x | Linux | CVE-2020-4002 | important | 4.0.1 | None | None | |
| SD-WAN Orchestrator | 3.x | Linux | CVE-2020-4002 | important | 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA | None | None |
3.f SQL injection Information Disclosure (CVE-2020-4003)
Description:
The SD-WAN Orchestrator was found to be vulnerable to SQL-injection attacks allowing for potential information disclosure. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3.
Known Attack Vectors:
An authenticated SD-WAN Orchestrator user may inject code into SQL queries which may lead to information disclosure.
Resolution:
To remediate CVE-2020-4003, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgements:
VMware would like to thank Christopher Schneider - Penetration Test Analyst at State Farm for reporting this issue to us.
Notes:
None
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| SD-WAN Orchestrator | 4.x | Linux | CVE-2020-4003 | moderate | 4.0.1 | None | None | |
| SD-WAN Orchestrator | 3.x | Linux | CVE-2020-4003 | moderate | 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA | None | None |
4. References
Fixed Version(s) and Release Notes:
4.0.1
https://www.vmware.com/go/download-sd-wan
https://docs.vmware.com/en/VMware-SD-WAN-by-VeloCloud/4.0.1/rn/VMware-SD-WAN-401-Release-Notes.html
3.4.4
https://www.vmware.com/go/download-sd-wan
3.3.2 P3
https://www.vmware.com/go/download-sd-wan
Additional Documentation:
None
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3984
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3985
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4003
FIRST CVSSv3 Calculator:
CVE-2020-4000 -https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
CVE-2020-3985 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2020-4002 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2020-4003 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5. Change Log
2020-11-18: VMSA-2020-0025
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2020 VMware Inc. All rights reserved.