Fix for critical VMWare vCenter Server vulnerability CVE-2020-3952

[German]There is a critical vulnerability CVE-2020-3952 in VMWare vCenter Server for which the vendor has now released a security update. 


vCenter Server enables IT administrators to centrally manage virtualized hosts and virtual machines in enterprise environments from a single console. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security alert regarding this product on April 10, 2020. The security warning refers to the VMware Security Advisory VMSA-2020-0006

Vulnerability CVE-2020-3952

CVE-2020-3952 in VMware vCenter Server was privately reported to the vendor by a security researcher and is now rated with a CVE index of 10 (highest possible score). The issue is that vmdir, which ships with VMware vCenter Server as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls under certain conditions..

An attacker with network access to an affected vmdir instance may be able to extract highly sensitive information. This information could be used to compromise vCenter Server or other services that depend on vmdir for authentication.

What is affected?

CVE-2020-3952 affects vCenter Server 6.7 (embedded or external PSC) prior to 6.7u3f when updated from an earlier release line such as 6.0 or 6.5. A clean reinstallation of vCenter Server 6.7 (embedded or external PSC) is not affected.

VMware has published KB article 78543 with guidance on how to determine whether an installation is affected by the vulnerability. VMware recommends that you upgrade to vCenter Server vCenter Server 6.7u3f. For more details, see VMware Security Advisory SA-2020-0006. (via)


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Virtualization and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *