VMware vRealize Operations Manager have Multiple SaltStack Salt vulnerabilities

Cloud security course specialists have revealed the finding of some security vulnerabilities in VMware vRealize Operations Manager, a management suite for any type of cloud deployments, whether public, private, or hybrid. Exploiting these vulnerabilities can lead to various malicious scenarios.

Below is a brief overview of the vulnerabilities found, alongside with their respective Common Vulnerability Scoring System (CVSS) keys and scores.

CVE-2020-11651: This is an inappropriate authentication vulnerability that exists because the salt-master process’s “ClearFuncs” class does not correctly accept method calls. An authenticated remote threat actor might bypass the authentication process and access some methods without sufficient authentication.

Vulnerable methods could be used to retrieve salt-master access tokens and execute arbitrary commands on minor salts. The flaw is found in the following VMware vRealize Operations Manager versions: 7.0, 7.5, 8.0, 8.0.1, and 8.1.

This flaw received a score of 7.2/10 on the CVSS scale, so it is considered a serious error; the vulnerability can be exploited by an authenticated remote user over the Internet, however, so far cloud security course experts have not identified the existence of an exploit for this vulnerability, although a proof of concept has already been published.

CVE-2020-11651: This vulnerability allows remote threat actors to perform directory escalation attacks. The flaw exists due to an input validation error when processing directory streams in the ClearFuncs class of the salt-master process. A malicious hacker may send a specially crafted request to access system files arbitrarily.

The vulnerability received a score of 5.9/10, so it is considered a medium severity flaw; the vulnerability is found in the following VMware vRealize Operations Manager versions: 7.0, 7.5, 8.0, 8.0.1, and 8.1.

The vulnerability can be exploited by an authenticated threat actor remote over the Internet, although so far it is unknown if any exploits exist. As in the previous case, there is already a proof of concept for this flaw, the cloud security course experts mentioned.

Vulnerabilities have already been reported, although for now there are no security patches available or known functional workarounds. For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.