Taking control of a VMWare server by exploiting the CVE-2020-3952 vulnerability

Cloud computing security service specialists have revealed a report of a vulnerability in VMWre vCenter v6.7 software. Tracked as CVE-2020-3952, this flaw is caused by inadequate access controls on the VMWare directory service.

Apparently the root of this security flaw is the inadequate implementation of access controls, which allows a threat actor to extract sensitive information from the system. In addition, successful exploitation of this vulnerability would allow a hacker with access to the compromised network to attack vCenter’s authentication mechanisms.

Cloud computing security service specialists mention that the vulnerability affects both vCenter Server Appliance and vCenter Server on Windows, and they also specify that the fault exists only in vCenter version 6.7 and can be fixed by installing patch 6.7u3f or upgrading to version 7.0. The vulnerability only affects deployments where an in-place update was used instead of a clean version 6.7 installation.

Moreover, the exploitation of CVE-2020-3952 could lead to the loss of confidential information, seriously compromising user information. According to the report, it is highly possible for a threat actor to evade the authentication mechanisms of the vCenter server and gain full control of the affected host. If this occurs, the attacker could make changes to the host and extract sensitive data from the virtual machines that reside in the deployment.

As can be seen, the consequences of exploiting this vulnerability are disastrous. Cloud computing security service specialists strongly recommend users deploy the vendor-released patch as soon as possible.

To mitigate the risk of exploiting this and other security vulnerabilities, the International Institute of Cyber Security (IICS) recommends enabling the following security measures:

  • Implement robust protections such as single sign-on (SSO) and use the access control list system built into this technology, limiting the number of users who can access the vCenter server
  • Use the principle of least privilege for users accessing the vCenter deployment by creating custom roles and restricting access to sensitive locations
  • Monitor user activity on the vCenter server and perform audits on a consistent basis
  • Verify that any SSL/TLS implementation uses the highest possible security settings, in addition to maintaining the strictest security controls on each protocol used