VMware Security Announcement VMSA-2020-0009

Today VMware released VMSA-2020-0009. This affects VMware vRealize Operations Manager, and the related patches address a Authentication Bypass and Directory Traversal vulnerabilities that were reported to VMware (CVE-2020-11651, CVE-2020-11652).

Impacted Products

VMware vRealize Operations Manager 7.5.0 - 8.1.0

Two vulnerabilities were disclosed in Salt, an open source project by SaltStack, which have been determined to affect VMware vRealize Operations Manager. Workarounds are available to address these vulnerabilities.

VMware vRealize Operations Manager (vROps) addresses Authentication Bypass (CVE-2020-11651) and Directory Traversal (CVE-2020-11652) vulnerabilities.

The Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 utilizes Salt which is affected by CVE-2020-11651 and CVE-2020-11652. VMware has evaluated CVE-2020-11651 (Authentication Bypass) to be in the Critical severity range with a maximum CVSSv3 base score of 10.0 and CVE-2020-11652 (Directory Traversal) to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors:
CVE-2020-11651 (Authentication Bypass) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent to. CVE-2020-11652 (Directory Traversal) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to access the entirety of the ARC file system.

Updates to remediate CVE-2020-11651 and CVE-2020-11652 are forthcoming.

Workarounds for CVE-2020-11651 and CVE-2020-11652 have been documented in the VMware Knowledge Base article listed below.


To implement the workaround for CVE-2020-11651 and CVE-2020-11652 on Application Remote Collector - 7.5, 8.0, 8.0.1, or 8.1, perform the following steps.

  1. Log into the Application Remote Collector as root via SSH or console pressing ALT+F1 in a Console to log in.
  2. Run the following command to back up the current iptables rules:

iptables-save > /ucp/iptables.out

  1. Run the following commands to add the iptables rules to block salt docker ports:

iptables -I DOCKER 1 -p tcp --dport 4505 -j DROP
iptables -I DOCKER 1 -p tcp --dport 4506 -j DROP

  1. Repeat steps 1-3 on all Application Remote Collectors.

Note: This workaround is not persistent and will revert to default if you restart the Application Remote Collector. Steps 1-3 will need to be re-applied after a restart.

Here is the link to the advisory


Thanks for reading!