www.belgium.be Logo of the federal government

Critical vulnerability in VMware vCenter 6.7 and prior

Reference: 
Advisory #2020-011
Version: 
1
Affected software: 
VMware vCenter version 6.7 and prior
Type: 
Information Disclosure
CVE/CVSS: 

CVE-2020-3952 : CVSSv3 10.0

Date: 
16/04/2020

Sources

https://www.vmware.com/security/advisories/VMSA-2020-0006.html

https://my.vmware.com/web/vmware/details?productId=742&rPId=44888&downloadGroup=VC67U3F

Risks

An attacker with network access to a vulnerable vmdir implementation can exfiltrate sensitive information, this data can be used to compromise vCenter Server or other services depending on vmdir as an authentication mechanism.

Description

All version numbers up to and including version 6.7u3f of vCenter Server 6.7 embedded, and external Platform Service Controller ( PSC) are vulnerable to this vulnerability, including systems upgraded from a previous release line such as 6.0 and 6.5. Only fresh installations of vCenter Server 6.7 are not affected by this vulnerability.

Recommended Actions

CERT.be advises system administrators to patch vulnerable systems to the latest available version. The patches are available on the site of VMware.