VMware Security Announcement VMSA-2020-0025

A new security announcement released today, VMSA-2020-0025. This affects VMware SD-WAN Orchestrator, the updates address multiple security vulnerabilities (CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003)

Impacted Products

VMware SD-WAN Orchestrator (SD-WAN Orchestrator)

Introduction

Multiple vulnerabilities in SD-WAN Orchestrator were privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products. VMware-hosted SD-WAN Orchestrators have been patched for these issues.

SQL injection vulnerability due to improper input validation (CVE-2020-3984)

Description

The SD-WAN Orchestrator does not apply correct input validation which allows for SQL-injection. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access.

Resolution

SD-WAN Orchestrator 4.x is not affected by this vulnerability.

For SD-WAN Orchestrator 3.x apply patches 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA. Download links will be provided below.

Directory traversal file execution (CVE-2020-4000)

Description

The SD-WAN Orchestrator allows for executing files through directory traversal. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

Known Attack Vectors

An authenticated SD-WAN Orchestrator user is able to traversal directories which may lead to code execution of files.

Resolution

For SD-WAN Orchestrator 4.x apply patch 4.0.1, Download links will be provided below.

For SD-WAN Orchestrator 3.x apply patches 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA. Download links will be provided below.

Default passwords Pass-the-Hash Attack (CVE-2020-4001

Description

The SD-WAN Orchestrator has default passwords allowing for a Pass-the-Hash Attack. VMware has evaluated the severity of this issue to be in the moderate severity range.

Known Attack Vectors:

SD-WAN Orchestrator ships with default passwords for predefined accounts which may lead to to a Pass-the-Hash attack.
Note: The same salt is used in conjunction with the default password of predefined accounts on freshly installed systems allowing for for Pass-the-Hash-Attacks. That same system could be accessed by an attacker using the default password for the predefined account.

Resolution:

To remediate CVE-2020-4001 on SD-WAN Orchestrator 4.x and 3.x, change the default passwords of the preconfigured accounts on SD-WAN Orchestrator before production use.

API endpoint privilege escalation (CVE-2020-3985)

Description:

The SD-WAN Orchestrator allows an access to set arbitrary authorization levels leading to a privilege escalation issue. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors:

An authenticated SD-WAN Orchestrator user may exploit an application weakness and call a vulnerable API to elevate their privileges.

Resolution:

SD-WAN Orchestrator 4.x is not affected by this vulnerability.

For SD-WAN Orchestrator 3.x apply patches 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA. Download links will be provided below.

Unsafe handling of system parameters (CVE-2020-4002)

Description:

The SD-WAN Orchestrator handles system parameters in an insecure way. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.

Known Attack Vectors:

An authenticated SD-WAN Orchestrator user with high privileges may be able to execute arbitrary code on the underlying operating system.

Resolution:

For SD-WAN Orchestrator 4.x apply patch 4.0.1, Download links will be provided below.

For SD-WAN Orchestrator 3.x apply patches 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA. Download links will be provided below.

SQL injection Information Disclosure (CVE-2020-4003)

Description:

The SD-WAN Orchestrator was found to be vulnerable to SQL-injection attacks allowing for potential information disclosure. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3.

Known Attack Vectors:

An authenticated SD-WAN Orchestrator user may inject code into SQL queries which may lead to information disclosure.

Resolution:

For SD-WAN Orchestrator 4.x apply patch 4.0.1, Download links will be provided below.

For SD-WAN Orchestrator 3.x apply patches 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA. Download links will be provided below.

References

Fixed Version(s) and Release Notes:

4.0.1
https://www.vmware.com/go/download-sd-wan
https://docs.vmware.com/en/VMware-SD-WAN-by-VeloCloud/4.0.1/rn/VMware-SD-WAN-401-Release-Notes.html
3.4.4
https://www.vmware.com/go/download-sd-wan
3.3.2  P3
https://www.vmware.com/go/download-sd-wan

Thanks for reading. Happy patching!