VMware Security Announcement VMSA-2020-0006 Critical Alert, CVSSv3 base Score 10!!!
Last night VMware released VMSA-2020-006. This announcement addresses a sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) in vCenter Server (CVE-2020-3952). This alert affects vCenter 6.7. Highly recommend to patch vCenter immediately.
- vCenter Server 6.7 (embedded or external PSC) prior to 6.7u3f is affected by CVE-2020-3952 if it was upgraded from a previous release line such as 6.0 or 6.5. vCenter 7 is not affected https://www.vmware.com/security/advisories/VMSA-2020-0006.html
VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952)
Under certain conditions vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 10.0.
Known Attack Vectors:
A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.
To remediate CVE-2020-3952 apply vCenter Server Appliance 6.7 Update 3f released APR 9 2020, Build 15976714.
Fixed Version(s) and Release Notes:
vCenter Server 6.7u3f: