Security News > 2020 > April > That critical VMware vuln allowed anyone on your network to create new admin users, no creds needed
A critical vulnerability in VMware's vCenter management product allowed any old bod on the same network to remotely create an admin-level user, research by Guardicore Labs has revealed.
The astonishing vuln, details of which were quite spare when VMWare issued a patch last week, was rated by VMware itself as CVSS v3 10.0, the highest level.
Guardicore researcher JJ Lehman told The Register: "You have to be network accessible but you don't have to be authenticated in any way to pull this off. Which means as an attacker who has already breached the perimeter of a network, as long as [you have] access to the vCenter, you essentially control everything on their VMware hosts."
Curiosity piqued as they examined the vCenter patch binaries, Guardicore's researchers discovered a VMware Github repo called Project Lightning which happened to contain an identical copy of VMware's Directory Service code.
Lehman and Ziv could create a new user account and assign them full admin permissions, all because vCenter did not thoroughly authenticate and cross-check external inputs.
News URL
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)