Security News > 2020 > April > That critical VMware vuln allowed anyone on your network to create new admin users, no creds needed
A critical vulnerability in VMware's vCenter management product allowed any old bod on the same network to remotely create an admin-level user, research by Guardicore Labs has revealed.
The astonishing vuln, details of which were quite spare when VMWare issued a patch last week, was rated by VMware itself as CVSS v3 10.0, the highest level.
Guardicore researcher JJ Lehman told The Register: "You have to be network accessible but you don't have to be authenticated in any way to pull this off. Which means as an attacker who has already breached the perimeter of a network, as long as [you have] access to the vCenter, you essentially control everything on their VMware hosts."
Curiosity piqued as they examined the vCenter patch binaries, Guardicore's researchers discovered a VMware Github repo called Project Lightning which happened to contain an identical copy of VMware's Directory Service code.
Lehman and Ziv could create a new user account and assign them full admin permissions, all because vCenter did not thoroughly authenticate and cross-check external inputs.
News URL
Related news
- Broadcom fixes critical RCE bug in VMware vCenter Server (source)
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution (source)
- Critical VMware vCenter Server bugs fixed (CVE-2024-38812) (source)
- Week in review: Critical VMware vCenter Server bugs fixed, Apple releases iOS 18 (source)