Vulnerability in VMware Directory Service affects large numbers of corporate VMs and hosts

PUBLISHED:
15 April 2020

Vulnerability in VMware Directory Service (vmdir) affects large numbers of corporate VMs and hosts

A critical informational disclosure bug was discovered in VMware’s Directory Service (vmdir) could allows a cyber-attacker to lay bare contents of entire corporate virtual infrastructures. The vmdir is part of VMware’s vCenter Server product, which provides centralized management of virtualized hosts and virtual machines (VMs) from a single console. The vmdir is the central component to the vCenter single sign on(SSO).

The critical flaw (CVE-2020-3952) was rated 10 out of 10 on the CVSS v.3 vulnerability severity scale. At issue is a poorly implemented access control, according to the bug advisory, which could allow a malicious actor to bypass authentication mechanisms.

Affected Items

• vCenter Server 6.7 Virtual Appliance
• vCenter Server 6.7 Windows

Solution

Administrators are encouraged to apply the VMware patches KB78543 as soon as possible.

More Information

• VMware Security Advisories: https://www.vmware.com/security/advisories/VMSA-2020-0006.html
• Additional Documentation: https://kb.vmware.com/s/article/78543
• vCenter Server 6.7u3f: https://my.vmware.com/web/vmware/details?productId=742&rPId=44888&downloadGroup=VC67U3F