====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN266
_____________________________________________________________________

DATE                : 13/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware vRealize Operations Manager
                        versions prior to 8.1.0, 8.0.x, 7.5.0, 7.0.0.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2020-0009.html
_____________________________________________________________________


VMware Security Advisories

Advisory ID 	VMSA-2020-0009
Advisory Severity 	Critical
CVSSv3 Range 	7.5 - 10.0
Synopsis 	VMware vRealize Operations Manager addresses Authentication
Bypass and Directory Traversal vulnerabilities (CVE-2020-11651,
CVE-2020-11652)
Issue Date 	2020-05-08
Updated On 	2020-05-08 (Initial Advisory)
CVE(s) 	CVE-2020-11651, CVE-2020-11652


1. Impacted Products

VMware vRealize Operations Manager


2. Introduction

Two vulnerabilities were disclosed in Salt, an open source project by
SaltStack, which have been determined to affect VMware vRealize
Operations Manager. Workarounds are available to address these
vulnerabilities in affected VMware products.


3. VMware vRealize Operations Manager (vROps) addresses Authentication
Bypass (CVE-2020-11651) and Directory Traversal (CVE-2020-11652)
vulnerabilities.


Description:
The Application Remote Collector (ARC) introduced with vRealize
Operations Manager 7.5 utilizes Salt which is affected by CVE-2020-11651
and CVE-2020-11652. VMware has evaluated CVE-2020-11651 (Authentication
Bypass) to be in the Critical severity range with a maximum CVSSv3 base
score of 10.0 and CVE-2020-11652 (Directory Traversal) to be in the
Important severity range with a maximum CVSSv3 base score of 7.5.


Known Attack Vectors:

CVE-2020-11651 (Authentication Bypass) may allow a malicious actor with
network access to port 4505 or 4506 on the ARC to take control of the
ARC and any Virtual Machines the ARC may have deployed a Telegraf agent
to. CVE-2020-11652 (Directory Traversal) may allow a malicious actor
with network access to port 4505 or 4506 on the ARC to access the
entirety of the ARC filesystem.


Resolution:
Updates to remediate CVE-2020-11651 and CVE-2020-11652 are forthcoming.


Workarounds:
Workarounds for CVE-2020-11651 and CVE-2020-11652 have been documented
in the VMware Knowledge Base article listed in the "Workarounds" column
of the "Response Matrix" below.


Additional Documentation:
None.

Notes:
None.


Acknowledgements:

None.


Product 	Version 	Running On 	CVE Identifier 	CVSSV3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

vROps 	8.1.0 	Virtual Appliance 	CVE-2020-11651, CVE-2020-11652 	10.0
Critical 	Updates Pending 	KB79031 	None

vROps 	8.0.x 	Virtual Appliance 	CVE-2020-11651, CVE-2020-11652 	10.0
Critical 	Updates Pending 	KB79031 	None

vROps 	7.5.0 	Virtual Appliance 	CVE-2020-11651, CVE-2020-11652 	10.0
Critical 	Updates Pending 	KB79031 	None

vROps 	7.0.0 	Virtual Appliance 	CVE-2020-11651, CVE-2020-11652 	N/A
N/A 	Unaffected 	N/A 	N/A



4. References


Workarounds:
https://kb.vmware.com/s/article/79031


3rd Party Disclosure:

https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/


Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652


FIRST CVSSv3 Calculator:

CVE-2020-11651 -
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-11652 -
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N


5. Change log


2020-05-08 VMSA-2020-0009
Initial security advisory.


6. Contact


E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org



E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055



VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC



Copyright 2020 VMware Inc. All rights reserved.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================