Last week, VMware released a patch for a vulnerability in its vCenter Server that the company categorized as an information disclosure bug, something an attacker could use to grab some sensitive data from a vulnerable instance. However, after looking into the details of the flaw, some researchers discovered that the vulnerability can be used to add a rogue administrator account to the vCenter directory and take control of the deployment.
The vulnerability in question is in the VMware Directory Service and even though VMware described it as an information disclosure flaw, it is rated critical, which is pretty unusual for a flaw that doesn’t involve remote code execution. In the advisory, VMware said an attacker would need network access to exploit the flaw, but didn’t provide much more information about it.
“Under certain conditions1 vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication,” the advisory says.
Researchers at Guardicore dug into the vulnerability (CVE-2020-3952) and found that it could have much more serious consequences than simple information disclosure. The researchers found that the root cause of the vulnerability is two distinct errors: a flaw in a function that deals with permission checks, and a design error that gives root privileges to an LDAP session without an authentication token. The combination of those two problems led to the vulnerability and the researchers were able to compare the updated version of the software to the previous, vulnerable, version and piece together the problematic portions of the code.
“By combing through the changes made to the vCenter Directory service, we reconstructed the faulty code flow that led to this vulnerability. Our analysis showed that with three simple unauthenticated LDAP commands, an attacker with nothing more than network access to the vCenter Directory Service can add an administrator account to the vCenter Directory. We were able to implement a proof of concept for this exploit that enacts a remote takeover of the entire vSphere deployment,” JJ Lehmann and Ofri Ziv of Guardicore wrote in a post explaining the research.
The researchers have published their proof-of-concept code for the vulnerability on GitHub. The vulnerability affects version 6.7 of vCenter Server running on Windows or a virtual appliance.
“Despite the relative clarity of VMware’s code, it looks like there were quite a few missteps that went into the vulnerability. The developers were at least partially aware of them, too, as we saw in the code comments and commit messages. The fix to VmDirLegacyAccessCheck isn’t any more than band-aid — had VMware looked into this bug in-depth they would have found a series of issues that need to be addressed: the strange semantics of bIsAnonymousBind, the disastrous handling of pAccessToken, and, of course, the bug we started from, in VmDirLegacyAccessCheck,” Lehmann and Ziv said in their post.