A critical vulnerability in VMware’s vCenter management product has allowed any old body on the same network to remotely create an administrator-level user, a study from Guardicore Labs found.
Administrators in charge of VMware domains should probably correct this immediately, if they have not already done so.
Guardicore researcher JJ Lehman said The register: “You must be accessible on the network, but you do not need to be authenticated in any way. This means as an attacker who has already violated the perimeter of a network, as long as [you have] Access to the vCenter, you essentially control everything over their VMware hosts. “
The virtualization provider has issued a advisory note and patch on April 9 this explains that a “malicious actor with network access to port 389 on an affected vmdir deployment may be able to extract very sensitive information such as the credentials of the administrative account”.
“It’s very unique,” said Ofri Ziv, research manager at Guardicore. The Reg, explaining that the CVSS 10.0 impact score on an enterprise virtualization product caught the attention of his enterprise security team. “This is why it is such a critical problem and that is why we think it is important that people understand it and mitigate it as quickly as possible.”
He added that Guardicore had not seen any evidence that the vuln was abused in the wild, although Lehman explained that by its nature, it would be difficult to see traces of its use.
Same code module deployed in different places
Curiosity piqued when examining the binaries of the vCenter patch, Guardicore researchers discovered a VMware Github repository called Project Lightning that contained an identical copy of the code for the VMware directory service. From there they made a vuln very similar to that of vCenter had been spotted and patched in August 2017 within Project Lightning.
In one blog post Guardicore explained in detail how its researchers were able to pwn vCenter after inspecting the source on GitHub. Lehman and Ziv could create a new user account and assign them full administrator permissions, all because vCenter did not fully authenticate and did not cross-check the external entries.
“It seems strange that a function that checks if it authorizes access specifically authorizes a user without an access token,” commented Guardicore, in the euphemism of the year. The company also published its proof of concept code on (where else?) GitHub.
VMware did not respond The registerrequests for comments. ®
Office 365 client-to-client migration tips