VMware Has Issued a Patch for 10.0 CVSS Vulnerability on vCenter – Patch Now!
VMware has issued the highest Common Vulnerability Scoring System 3 (CVSSv3) rating, 10.0, on a vulnerability (CVE-2020-3952) found on its VMware vCenter Server version 6.7 software. VMware now has a patch to address this vulnerability, and administrators are urged to install the patch as soon as possible.
The vulnerability is located within the VMware Directory service (vmdir), in which it does not properly implement access controls. This can allow a malicious actor to exploit vmdir and gain access to information that can be used to compromise vCenter Server – the centralized management software that allows administrators to manage all instances of virtual machines, ESXi hosts, virtual servers, and vMotion.
As a result, VMware has deemed this to be a critical advisory (VMSA-2020-0006) and allocated to it the highest CVSSv3 rating of 10.0.
To resolve the issue, VMware has released a patch, vCenter Server version 6.7u3f, that serves to address this vulnerability. All instances of vCenter Server version 6.7, in both the virtual appliance and Windows versions, are strongly urged to install this patch as soon as possible.
Note that vCenter Server versions 6.5 and 7.0 remain unaffected by this vulnerability.
Our Take
Update your vCenter Server versions 6.7 immediately! This recently identified vulnerability enables malicious actors to compromise the very core of your virtual server environment, resulting in devastating consequences for your production environment and critical servers.
These same malicious actors can then bring down your production and business-critical servers, adversely affecting your operations. Additionally, they have the ability to then access your virtual machines or intercept any inter-server communications, gaining access to your critical and sensitive data.