VMware Security Announcement VMSA-2020-0025
A new security announcement released today, VMSA-2020-0025. This affects VMware SD-WAN Orchestrator, the updates address multiple security vulnerabilities (CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003)
Impacted Products
VMware SD-WAN Orchestrator (SD-WAN Orchestrator)
Introduction
Multiple vulnerabilities in SD-WAN Orchestrator were privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products. VMware-hosted SD-WAN Orchestrators have been patched for these issues.
SQL injection vulnerability due to improper input validation (CVE-2020-3984)
Description
The SD-WAN Orchestrator does not apply correct input validation which allows for SQL-injection. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.
Known Attack Vectors
An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access.
Resolution
SD-WAN Orchestrator 4.x is not affected by this vulnerability.
For SD-WAN Orchestrator 3.x apply patches 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA. Download links will be provided below.
Directory traversal file execution (CVE-2020-4000)
Description
The SD-WAN Orchestrator allows for executing files through directory traversal. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
Known Attack Vectors
An authenticated SD-WAN Orchestrator user is able to traversal directories which may lead to code execution of files.
Resolution
For SD-WAN Orchestrator 4.x apply patch 4.0.1, Download links will be provided below.
For SD-WAN Orchestrator 3.x apply patches 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA. Download links will be provided below.
Default passwords Pass-the-Hash Attack (CVE-2020-4001
Description
The SD-WAN Orchestrator has default passwords allowing for a Pass-the-Hash Attack. VMware has evaluated the severity of this issue to be in the moderate severity range.
Known Attack Vectors:
SD-WAN Orchestrator ships with default passwords for predefined accounts which may lead to to a Pass-the-Hash attack.
Note: The same salt is used in conjunction with the default password of predefined accounts on freshly installed systems allowing for for Pass-the-Hash-Attacks. That same system could be accessed by an attacker using the default password for the predefined account.
Resolution:
To remediate CVE-2020-4001 on SD-WAN Orchestrator 4.x and 3.x, change the default passwords of the preconfigured accounts on SD-WAN Orchestrator before production use.
API endpoint privilege escalation (CVE-2020-3985)
Description:
The SD-WAN Orchestrator allows an access to set arbitrary authorization levels leading to a privilege escalation issue. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
Known Attack Vectors:
An authenticated SD-WAN Orchestrator user may exploit an application weakness and call a vulnerable API to elevate their privileges.
Resolution:
SD-WAN Orchestrator 4.x is not affected by this vulnerability.
For SD-WAN Orchestrator 3.x apply patches 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA. Download links will be provided below.
Unsafe handling of system parameters (CVE-2020-4002)
Description:
The SD-WAN Orchestrator handles system parameters in an insecure way. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.
Known Attack Vectors:
An authenticated SD-WAN Orchestrator user with high privileges may be able to execute arbitrary code on the underlying operating system.
Resolution:
For SD-WAN Orchestrator 4.x apply patch 4.0.1, Download links will be provided below.
For SD-WAN Orchestrator 3.x apply patches 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA. Download links will be provided below.
SQL injection Information Disclosure (CVE-2020-4003)
Description:
The SD-WAN Orchestrator was found to be vulnerable to SQL-injection attacks allowing for potential information disclosure. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3.
Known Attack Vectors:
An authenticated SD-WAN Orchestrator user may inject code into SQL queries which may lead to information disclosure.
Resolution:
For SD-WAN Orchestrator 4.x apply patch 4.0.1, Download links will be provided below.
For SD-WAN Orchestrator 3.x apply patches 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA. Download links will be provided below.
References
Fixed Version(s) and Release Notes:
4.0.1
https://www.vmware.com/go/download-sd-wan
https://docs.vmware.com/en/VMware-SD-WAN-by-VeloCloud/4.0.1/rn/VMware-SD-WAN-401-Release-Notes.html
3.4.4
https://www.vmware.com/go/download-sd-wan
3.3.2 P3
https://www.vmware.com/go/download-sd-wan
Thanks for reading. Happy patching!