Security News > 2020 > April > Critical VMware Bug Opens Up Corporate Treasure to Hackers
A critical information-disclosure bug in VMware's Directory Service could lay bare the contents of entire corporate virtual infrastructures, if exploited by cyberattackers.
The vmdir in turn is a central component to the vCenter SSO. Also, vmdir is used for certificate management for the workloads governed by vCenter, according to VMware.
"VMware, one of, if not the most, popular virtualization software companies in the world, recently patched an extremely critical information disclosure vulnerabilityone of the most severe vulnerabilities that has affected VMware software," Chris Hass, director of information security and research at Automox, told Threatpost.
"vCenter Server provides a centralized platform for controlling VMware vSphere environments, it helps manage virtual infrastructure in a tremendous number of hybrid clouds, so the scope and impact of this vulnerability is quite large. Organizations using vCenter need to check their vmdir logs for affected versions, ACL MODE: legacy, and patch immediately."
No specific acknowledgments were given for the bug discovery - VMware noted only that it was "Disclosed privately."
News URL
https://threatpost.com/critical-vmware-bug-corporate-treasure-hackers/154682/
Related news
- Iranian hackers act as brokers selling critical infrastructure access (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)