MCP Insights by Mission Critical Partners

Public Safety Cybersecurity Threat Advisory: Critical VMware Bug

Written by Mike Beagles | April 16, 2020

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their public safety communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week, there is a new critical alert that requires the public safety community’s immediate attention.

Advisory Summary

A high-severity vulnerability exists in VMware vCenter server-management software that could let attackers compromise all virtual machines (VMs) on a server. VMware is a leading virtualization software solutions provider used by many public safety agencies to manage their VMs—such as computer-aided dispatch (CAD) applications or office productivity tools—from a single console, governed by single sign-on (SSO) mechanics. This critical vulnerability scored a ten out of ten on the Common Vulnerability Scoring System, version 3 (CVSS v.3), which indicates a major threat. To mitigate the risk, MCP advises updating VMware vCenter to the latest version immediately. Instructions on how to determine whether your server is affected are included in this post’s recommendations section.

Technical Detail and Additional Information

What is the Threat?

A critical information-disclosure bug exists in vCenter Server, version 6.7 (prior to 6.7u3f), as part of an embedded or external platform services controller (PSC). Specifically, the VMware Directory Service (vmdir) does not correctly implement access controls. This means that a malicious actor who has network access to a vmdir deployment that is affected by this vulnerability could access any sensitive information to which it has access. This information then could be exploited to compromise vCenter Server, or other services that depend on vmdir for authentication.

Why is this Noteworthy?

This vulnerability has been given a 10 out of 10 on the CVSS v.3 vulnerability severity scale, which means that it is extremely critical and one of the most severe vulnerabilities ever to affect VMware. VMware is one of the top choices, if not the top choice, for virtualization software used by public safety agencies across the globe. These organizations utilize vCenter Server and similar products to manage the entire organization's VMs from a single console, governed by  single sign-on (SSO) mechanics. This simplifies administrative access to each VM or host without requiring them to authenticate to each one individually. If the access controls for this process are misconfigured or weak, then the entire network of VMs, and all that they have access to, can be compromised.

What Is the Exposure or Risk?

By leveraging this vulnerability, an attacker can gain access to a wide variety of different hosts and systems that are governed by vmdir, which is a central component of vCenter's SSO and certificate management. It enables an attacker to compromise any and all VMs and hosts being governed by vCenter Server. If an attacker is able to access every single VM or host in this way, they would have visibility into all assets to which these machines have access. While those assets vary by organization, a malicious actor having access to—or even control of—the entire network managed by vCenter Server could result in significant damage.

What are the Recommendations?

VMware has released a patch that addresses this critical vulnerability. It is strongly recommended that public safety agencies upgrade vCenter Server as quickly as possible. You can find the download links for the affected versions of vCenter Server in the security advisory released by VMware here.

Public safety agencies can identify whether their current version of vCenter Server is affected by this vulnerability by searching for vmdir entries in the logs. If an agency’s deployment is vulnerable, it will see a log entry created when the vmdir service starts, which states that a legacy access control list (ACL) mode is enabled. An example of what this looks like has been provided below, courtesy of VMware.

2020-04-06T17:50:41.860526+00:00 info vmdird t@139910871058176: ACL MODE: Legacy

The VMWare bug has the ability to give public safety agencies a significant amount of heartburn. If you haven’t already done so, assess whether your agency’s deployment is vulnerable.

If you’re looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solution that is designed specifically for public safety entities and other critical-infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete solution. Contact us today to learn more.

References

For more in-depth information about the recommendations, please visit the following links:

https://securityaffairs.co/wordpress/101388/security/cve-2020-3952-vmware-vcenter-server.html

https://www.vmware.com/security/advisories/VMSA-2020-0006.html

https://threatpost.com/critical-vmware-bug-corporate-treasure-hackers/154682/

https://www.bleepingcomputer.com/news/security/vmware-releases-fix-for-critical-vcenter-server-vulnerability/