-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1640
            VMware vRealize Operations Manager vulnerabilities
                                11 May 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware vRealize Operations Manager
Publisher:         VMware
Operating System:  Virtualisation
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Unauthorised Access             -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11652 CVE-2020-11651 

Reference:         ESB-2020.1607.2
                   ESB-2020.1547

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2020-0009.html

- --------------------------BEGIN INCLUDED TEXT--------------------

VMware Security Advisories

+---------+-------------------------------------------------------------------+
|Advisory |VMSA-2020-0009                                                     |
|ID       |                                                                   |
+---------+-------------------------------------------------------------------+
|Advisory |Critical                                                           |
|Severity |                                                                   |
+---------+-------------------------------------------------------------------+
|CVSSv3   |7.5 - 10.0                                                         |
|Range    |                                                                   |
+---------+-------------------------------------------------------------------+
|         |VMware vRealize Operations Manager addresses Authentication Bypass |
|Synopsis |and Directory Traversal vulnerabilities (CVE-2020-11651,           |
|         |CVE-2020-11652)                                                    |
+---------+-------------------------------------------------------------------+
|Issue    |2020-05-08                                                         |
|Date     |                                                                   |
+---------+-------------------------------------------------------------------+
|Updated  |2020-05-08 (Initial Advisory)                                      |
|On       |                                                                   |
+---------+-------------------------------------------------------------------+
|CVE(s)   |CVE-2020-11651, CVE-2020-11652                                     |
+---------+-------------------------------------------------------------------+

1. Impacted Products
VMware vRealize Operations Manager

2. Introduction
Two vulnerabilities were disclosed in Salt, an open source project by
SaltStack, which have been determined to affect VMware vRealize Operations
Manager. Workarounds are available to address these vulnerabilities in affected
VMware products.

3. VMware vRealize Operations Manager (vROps) addresses Authentication Bypass
(CVE-2020-11651) and Directory Traversal (CVE-2020-11652) vulnerabilities.

Description:
The Application Remote Collector (ARC) introduced with vRealize Operations
Manager 7.5 utilizes Salt which is affected by CVE-2020-11651 and
CVE-2020-11652. VMware has evaluated CVE-2020-11651 (Authentication Bypass) to
be in the Critical severity range with a maximum CVSSv3 base score of 10.0 and
CVE-2020-11652 (Directory Traversal) to be in the Important severity range with
a maximum CVSSv3 base score of 7.5.

Known Attack Vectors:
CVE-2020-11651 (Authentication Bypass) may allow a malicious actor with network
access to port 4505 or 4506 on the ARC to take control of the ARC and any
Virtual Machines the ARC may have deployed a Telegraf agent to. CVE-2020-11652
(Directory Traversal) may allow a malicious actor with network access to port
4505 or 4506 on the ARC to access the entirety of the ARC filesystem.

Resolution:
Updates to remediate CVE-2020-11651 and CVE-2020-11652 are forthcoming.
 
Workarounds:
Workarounds for CVE-2020-11651 and CVE-2020-11652 have been documented in the
VMware Knowledge Base article listed in the "Workarounds" column of the
"Response Matrix" below.
 
Additional Documentation:
None.

Notes:
None.
 
Acknowledgements:
None.

+-------+-------+---------+---------------+------+--------+----------+-----------+-------------+
|Product|Version|Running  |CVE Identifier |CVSSV3|Severity|Fixed     |Workarounds|Additional   |
|       |       |On       |               |      |        |Version   |           |Documentation|
+-------+-------+---------+---------------+------+--------+----------+-----------+-------------+
|vROps  |8.1.0  |Virtual  |CVE-2020-11651,|10.0  |Critical|Updates   |KB79031    |None         |
|       |       |Appliance|CVE-2020-11652 |      |        |Pending   |           |             |
+-------+-------+---------+---------------+------+--------+----------+-----------+-------------+
|vROps  |8.0.x  |Virtual  |CVE-2020-11651,|10.0  |Critical|Updates   |KB79031    |None         |
|       |       |Appliance|CVE-2020-11652 |      |        |Pending   |           |             |
+-------+-------+---------+---------------+------+--------+----------+-----------+-------------+
|vROps  |7.5.0  |Virtual  |CVE-2020-11651,|10.0  |Critical|Updates   |KB79031    |None         |
|       |       |Appliance|CVE-2020-11652 |      |        |Pending   |           |             |
+-------+-------+---------+---------------+------+--------+----------+-----------+-------------+
|vROps  |7.0.0  |Virtual  |CVE-2020-11651,|N/A   |N/A     |Unaffected|N/A        |N/A          |
|       |       |Appliance|CVE-2020-11652 |      |        |          |           |             |
+-------+-------+---------+---------------+------+--------+----------+-----------+-------------+

4. References

Workarounds:
https://kb.vmware.com/s/article/79031


3rd Party Disclosure:
https://community.saltstack.com/blog/
critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652

FIRST CVSSv3 Calculator:
CVE-2020-11651 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/
PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-11652 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:N/A:N


5. Change log

2020-05-08 VMSA-2020-0009
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXrjVLGaOgq3Tt24GAQhJGBAAxDzyU+9SYtVM/V60NYbtMdw1qKZb1ip1
54OSc2SqUHUjuGz8r0yGpAI9rAnRCuHxBI7sqcji+LFKRGuYnZ8kgCnOAsjFx7w5
aoVWfFRO0Nh0wxqmYF9VgF2uukTLkqxiYth637lLHkWjsM+1I4bPgur4nZ45A/3O
2H+ZLA8LbzJxkVPE+6Q2Gn1frJXxFR3yZS1sS8zRp1Oco9IuTVpeKfr5q6YrjUxL
lsHnvYLPIAo/JtRTHvZ/PNGP+Rz8JNfnwI4m1fuza/5zM4JE/PXvPkFC+01KAUoX
EzHZY5+ojBFBpJ3uaG9MEupborHy6joAgtRqCkYS8DMp8m7FVbto37gjabKNXCVd
X9bow+GbSP2mAF+wGijQY/c6EJXTBBBwsRVMBAeZY8lcYbjtfAqaUGDCHA4yMFWa
lIo5tw2xOc4E+94wQekZZggpo1F9G7ZKSFu6zfNO9k+Qbehv6spEAU+t8+fi9wWV
+igdWTQJ3Wse1JTmVggw7K4fEh1COf+Gu+laqfRzQ1rAng6CiFV3r3XN3NpxQwAc
jPYgYKE35M8NIP2R9kMTZEDArv/If1z81Tlvcmx30Q3xe+04Hp49LxaO3E/q6nMM
6oR7NlB+eW2F9xUc0TW6i8AMhiSefwA2kIYII9pjcPXbvnvvG863uSUwbsAyoIYf
qRiyMsaagbw=
=wKJn
-----END PGP SIGNATURE-----