That critical VMware vuln allowed anyone on your network to create new admin users, no creds needed

A critical vulnerability in VMware's vCenter management product allowed any old bod on the same network to remotely create an admin-level user, research by Guardicore Labs has revealed.

The astonishing vuln (CVE-2020-3952), details of which were quite spare when VMWare issued a patch last week, was rated by VMware itself as CVSS v3 10.0, the highest level.

Admins in charge of VMware estates should probably patch this one immediately, if they haven't already.

Guardicore researcher JJ Lehman told The Register: "You have to be network accessible but you don't have to be authenticated in any way to pull this off. Which means as an attacker who has already breached the perimeter of a network, as long as [you have] access to the vCenter, you essentially control everything on their VMware hosts."

The virtualization vendor issued an advisory note and patch on 9 April that explained that a "malicious actor with network access to port 389 on an affected vmdir deployment may be able to extract highly sensitive information such as administrative account credentials".

"It's very unique," Guardicore head of research Ofri Ziv told The Reg, explaining that the 10.0 CVSS impact rating on an enterprise virtualization product caught his enterprise security team's eye. "This is why this is such a critical issue and this is why we believe it's important for people to understand and mitigate it as fast as possible."

He added that Guardicore had not seen evidence of the vuln being abused in the wild, though Lehman explained that by its nature, it would be difficult to see traces of its use.

Same code module deployed in different places

Curiosity piqued as they examined the vCenter patch binaries, Guardicore's researchers discovered a VMware Github repo called Project Lightning which happened to contain an identical copy of VMware's Directory Service code. From that they realised a very similar vuln to the vCenter one had been spotted and patched in August 2017 within Project Lightning.

In a blog post Guardicore explained at length how its researchers were able to pwn vCenter after inspecting the source on GitHub. Lehman and Ziv could create a new user account and assign them full admin permissions, all because vCenter did not thoroughly authenticate and cross-check external inputs.

"It seems strange that a function that checks whether to grant access would specifically allow a user without an access token," commented Guardicore, in the understatement of the year. The firm also published its proof-of-concept code on (where else?) GitHub.

VMware did not respond to The Register's requests for comment. ®