==================================================================== CERT-Renater Note d'Information No. 2020/VULN638 _____________________________________________________________________ DATE : 24/11/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running SD-WAN Orchestrator versions prior to 4.0.1. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2020-0025.html _____________________________________________________________________ Important Advisory ID: VMSA-2020-0025 CVSSv3 Range: 6.3- 7.5 Issue Date: 2020-11-18 Updated On: 2020-11-18 (Initial Advisory) CVE(s): CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002, CVE-2020-4003 Synopsis: VMware SD-WAN Orchestrator updates address multiple security vulnerabilities (CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003) 1. Impacted Products VMware SD-WAN Orchestrator (SD-WAN Orchestrator) 2. Introduction Multiple vulnerabilities in SD-WAN Orchestrator were privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products. VMware-hosted SD-WAN Orchestrators have been patched for these issues. 3a. SQL injection vulnerability due to improper input validation (CVE-2020-3984) Description The SD-WAN Orchestrator does not apply correct input validation which allows for SQL-injection. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1. Known Attack Vectors An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access. Resolution To remediate CVE-2020-3984 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation SD-WAN Orchestrator 4.x Any CVE-2020-3984 7.1 important Not affected N/A N/A SD-WAN Orchestrator 3.x N/A CVE-2020-3984 7.1 important 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA None None 3b. Directory traversal file execution (CVE-2020-4000) Description The SD-WAN Orchestrator allows for executing files through directory traversal. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5. Known Attack Vectors An authenticated SD-WAN Orchestrator user is able to traversal directories which may lead to code execution of files. Resolution To remediate CVE-2020-4000 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation SD-WAN Orchestrator 4.x Linux CVE-2020-4000 6.5 moderate 4.0.1 None None SD-WAN Orchestrator 3.x Linux CVE-2020-4000 6.5 moderate 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA None None 3.c Default passwords Pass-the-Hash Attack (CVE-2020-4001 Description The SD-WAN Orchestrator has default passwords allowing for a Pass-the-Hash Attack. VMware has evaluated the severity of this issue to be in the moderate severity range. Known Attack Vectors: SD-WAN Orchestrator ships with default passwords for predefined accounts which may lead to to a Pass-the-Hash attack. Note: The same salt is used in conjunction with the default password of predefined accounts on freshly installed systems allowing for for Pass- the-Hash-Attacks. That same system could be accessed by an attacker using the default password for the predefined account. Resolution: To remediate CVE-2020-4001, change the default passwords of the preconfigured accounts on SD-WAN Orchestrator before production use. Workarounds: None Additional Documentation: None. Acknowledgements: VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us. Notes Note. Response Matrix: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation SD-WAN Orchestrator 4.x Linux CVE-2020-4001 n/a moderate See Resolution section None None SD-WAN Orchestrator 3.x Linux CVE-2020-4001 N/A moderate See Resolution section None None 3.d API endpoint privilege escalation (CVE-2020-3985) Description: The SD-WAN Orchestrator allows an access to set arbitrary authorization levels leading to a privilege escalation issue. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. Known Attack Vectors: An authenticated SD-WAN Orchestrator user may exploit an application weakness and call a vulnerable API to elevate their privileges. Resolution: To remediate CVE-2020-3985, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None. Additional Documentation: None. Acknowledgements: VMware would like to thank Christopher Schneider - Penetration Test Analyst at State Farm for reporting this issue to us. Notes: None. Response Matrix: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation SD-WAN Orchestrator 4.x Linux CVE-2020-3985 7.5 important Not affected. N/A N/A SD-WAN Orchestrator 3.x Linux CVE-2020-3985 7.5 important 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA None None 3.e Unsafe handling of system parameters (CVE-2020-4002) Description: The SD-WAN Orchestrator handles system parameters in an insecure way. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2. Known Attack Vectors: An authenticated SD-WAN Orchestrator user with high privileges may be able to execute arbitrary code on the underlying operating system. Resolution: To remediate CVE-2020-4002, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None Additional Documentation: None Acknowledgements: VMware would like to thank Christopher Schneider, Cory Billington and Nicholas Spagnola - Penetration Test Analysts at State Farm for reporting this issue to us. Notes: None Response Matrix: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation SD-WAN Orchestrator 4.x Linux CVE-2020-4002 7.2 important 4.0.1 None None SD-WAN Orchestrator 3.x Linux CVE-2020-4002 7.2 important 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA None None 3.f SQL injection Information Disclosure (CVE-2020-4003) Description: The SD-WAN Orchestrator was found to be vulnerable to SQL-injection attacks allowing for potential information disclosure. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3. Known Attack Vectors: An authenticated SD-WAN Orchestrator user may inject code into SQL queries which may lead to information disclosure. Resolution: To remediate CVE-2020-4003, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None Additional Documentation: None Acknowledgements: VMware would like to thank Christopher Schneider - Penetration Test Analyst at State Farm for reporting this issue to us. Notes: None Response Matrix: Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation SD-WAN Orchestrator 4.x Linux CVE-2020-4003 6.3 moderate 4.0.1 None None SD-WAN Orchestrator 3.x Linux CVE-2020-4003 6.3 moderate 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA None None 4. References Fixed Version(s) and Release Notes: 4.0.1 https://www.vmware.com/go/download-sd-wan https://docs.vmware.com/en/VMware-SD-WAN-by-VeloCloud/4.0.1/rn/VMware-SD-WAN-401-Release-Notes.html 3.4.4 https://www.vmware.com/go/download-sd-wan 3.3.2 P3 https://www.vmware.com/go/download-sd-wan Additional Documentation: None Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3984 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3985 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4000 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4003 FIRST CVSSv3 Calculator: CVE-2020-3984 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVE-2020-4000 -https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N CVE-2020-3985 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-4002 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-4003 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 5. Change Log 2020-11-18: VMSA-2020-0025 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2020 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================