Remedy on CVE-2020 -11651, CVE-2020 -11652 VMware vRealize Operations Manager addresses Authentication Bypass and Directory Traversal vulnerabilities – 12th May 2020

Preface: If application do not defenses against directory traversal attacks, so an attacker can request the following URL: hxxp://xxx[.]com/loadImage?filename=../../../etc/passwd

Vulnerability details: The VMware Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 can integrate with Salt (SaltStack). However the vulnerabilities (CVE-2020-11651 and CVE-2020-11652) found in saltstack this month will be impact VMware operation simultaneously. The impact causes by SaltStack causes VMware vRealize Operations Manager (vROps) vulnerable to Directory traversal vulnerability. Meanwhile it has possiblites to happen critical impact (authentication bypass). For details, please refer to follow official announcement url.

Observation: From technical point of view, the design weakness of salt open TCP port 4505 and 4506 on behalf of service daemon. So attacker can be inject command in this part without authentication.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.