Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4113 VMware SD-WAN Orchestrator updates address multiple security vulnerabilities 19 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware SD-WAN Orchestrator (SD-WAN Orchestrator) Publisher: VMWare Operating System: Virtualisation VMware ESX Server Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-4003 CVE-2020-4002 CVE-2020-4001 CVE-2020-4000 CVE-2020-3985 CVE-2020-3984 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2020-0025.html - --------------------------BEGIN INCLUDED TEXT-------------------- VMware SD-WAN Orchestrator (SD-WAN Orchestrator) Important Advisory ID: VMSA-2020-0025 CVSSv3 Range: 6.3- 7.5 Issue Date: 2020-11-18 Updated On: 2020-11-18 (Initial Advisory) CVE(s): CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003 Synopsis: VMware SD-WAN Orchestrator updates address multiple security vulnerabilities (CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003) 2. Introduction Multiple vulnerabilities in SD-WAN Orchestrator were privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products. VMware-hosted SD-WAN Orchestrators have been patched for these issues. 3a. SQL injection vulnerability due to improper input validation (CVE-2020-3984) Description The SD-WAN Orchestrator does not apply correct input validation which allows for SQL-injection. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1. Known Attack Vectors An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access. Resolution To remediate CVE-2020-3984 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us. Response Matrix Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation SD-WAN 4.x Any CVE-2020-3984 7.1 important Not affected N/A N/A Orchestrator 3.3.2 p3 build SD-WAN 3.x N/A CVE-2020-3984 7.1 important 3.3.2-GA-20201103, None None Orchestrator 3.4.4 build R344-20201103-GA 3b. Directory traversal file execution (CVE-2020-4000) Description The SD-WAN Orchestrator allows for executing files through directory traversal. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5. Known Attack Vectors An authenticated SD-WAN Orchestrator user is able to traversal directories which may lead to code execution of files. Resolution To remediate CVE-2020-4000 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us. Response Matrix Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation SD-WAN 4.x Linux CVE-2020-4000 6.5 moderate 4.0.1 None None Orchestrator 3.3.2 p3 build SD-WAN 3.x Linux CVE-2020-4000 6.5 moderate 3.3.2-GA-20201103, None None Orchestrator 3.4.4 build R344-20201103-GA 3.c Default passwords Pass-the-Hash Attack (CVE-2020-4001 Description The SD-WAN Orchestrator has default passwords allowing for a Pass-the-Hash Attack. VMware has evaluated the severity of this issue to be in the moderate severity range. Known Attack Vectors: SD-WAN Orchestrator ships with default passwords for predefined accounts which may lead to to a Pass-the-Hash attack. Note: The same salt is used in conjunction with the default password of predefined accounts on freshly installed systems allowing for for Pass-the-Hash-Attacks. That same system could be accessed by an attacker using the default password for the predefined account. Resolution: To remediate CVE-2020-4001, change the default passwords of the preconfigured accounts on SD-WAN Orchestrator before production use. Workarounds: None Additional Documentation: None. Acknowledgements: VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us. Notes Note. Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Workarounds Additional On Identifier Version Documentation SD-WAN See Orchestrator 4.x Linux CVE-2020-4001 n/a moderate Resolution None None section SD-WAN See Orchestrator 3.x Linux CVE-2020-4001 N/A moderate Resolution None None section 3.d API endpoint privilege escalation (CVE-2020-3985) Description: The SD-WAN Orchestrator allows an access to set arbitrary authorization levels leading to a privilege escalation issue. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. Known Attack Vectors: An authenticated SD-WAN Orchestrator user may exploit an application weakness and call a vulnerable API to elevate their privileges. Resolution: To remediate CVE-2020-3985, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None. Additional Documentation: None. Acknowledgements: VMware would like to thank Christopher Schneider - Penetration Test Analyst at State Farm for reporting this issue to us. Notes: None. Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation SD-WAN 4.x Linux CVE-2020-3985 7.5 important Not affected. N/A N/A Orchestrator 3.3.2 p3 build SD-WAN 3.x Linux CVE-2020-3985 7.5 important 3.3.2-GA-20201103, None None Orchestrator 3.4.4 build R344-20201103-GA 3.e Unsafe handling of system parameters (CVE-2020-4002) Description: The SD-WAN Orchestrator handles system parameters in an insecure way. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2. Known Attack Vectors: An authenticated SD-WAN Orchestrator user with high privileges may be able to execute arbitrary code on the underlying operating system. Resolution: To remediate CVE-2020-4002, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None Additional Documentation: None Acknowledgements: VMware would like to thank Christopher Schneider, Cory Billington and Nicholas Spagnola - Penetration Test Analysts at State Farm for reporting this issue to us. Notes: None Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation SD-WAN 4.x Linux CVE-2020-4002 7.2 important 4.0.1 None None Orchestrator 3.3.2 p3 build SD-WAN 3.x Linux CVE-2020-4002 7.2 important 3.3.2-GA-20201103, None None Orchestrator 3.4.4 build R344-20201103-GA 3.f SQL injection Information Disclosure (CVE-2020-4003) Description: The SD-WAN Orchestrator was found to be vulnerable to SQL-injection attacks allowing for potential information disclosure. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3. Known Attack Vectors: An authenticated SD-WAN Orchestrator user may inject code into SQL queries which may lead to information disclosure. Resolution: To remediate CVE-2020-4003, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None Additional Documentation: None Acknowledgements: VMware would like to thank Christopher Schneider - Penetration Test Analyst at State Farm for reporting this issue to us. Notes: None Response Matrix: Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional On Identifier Documentation SD-WAN 4.x Linux CVE-2020-4003 6.3 moderate 4.0.1 None None Orchestrator 3.3.2 p3 build SD-WAN 3.x Linux CVE-2020-4003 6.3 moderate 3.3.2-GA-20201103, None None Orchestrator 3.4.4 build R344-20201103-GA 4. References Fixed Version(s) and Release Notes: 4.0.1 https://www.vmware.com/go/download-sd-wan https://docs.vmware.com/en/VMware-SD-WAN-by-VeloCloud/4.0.1/rn/ VMware-SD-WAN-401-Release-Notes.html 3.4.4 https://www.vmware.com/go/download-sd-wan 3.3.2 P3 https://www.vmware.com/go/download-sd-wan Additional Documentation: None Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3984 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3985 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4000 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4001 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4002 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4003 FIRST CVSSv3 Calculator: CVE-2020-3984 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/ PR:L/UI:N/S:U/C:H/I:L/A:N CVE-2020-4000 -https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/ PR:N/UI:N/S:U/C:L/I:H/A:N CVE-2020-3985 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/ PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-4002 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-4003 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:L/UI:N/S:U/C:L/I:L/A:L 5. Change Log 2020-11-18: VMSA-2020-0025 Initial security advisory. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX7X7z+NLKJtyKPYoAQjmpA//c1VTozxMzLKcvAojdDLX6dbpI/QEPyT3 Ix10gy2mz3ftR4L2bhvU/z47TIW8TKrXP0rKMGD/IrEfwIqn2l2nwZTTCWOhULmG cc/If+zAHlra5w7F/QGWSjJaLtwatTGYGTzUV4tb130y/ErycAcp5POT/dUcneqO gaRoNbiqBN3lmRo3lW04IxHLM4jhrYadQawG32lDwgraBmFTWK73VRvP2RO4UWYi 4ATHaixIJkgkZ2No/H8d4aFgjvv4uWog/ITuqXs+NJK2Mc5I++XJVoSwGW4AP8hg c8QLYoOYW6dZF3p1Acm/Xu9RvjxA74rSyb/YZtZJdcyCpoAPdBEgttmhHoE2Rw1a XImr3BWfsD67GaL8S1Y07Fvz4Exyb5Z3f3hCH9j1inLS66cLky7xSMKTYLj3B3R0 ozZWMhTF9uqtf0UOirT9CkYcNcNVAfzgkJQYcA0b+YXKu3Ihd6OO9zkQc8r9WzwV lthYX6nvCS0FjWBvoKx9GhFPFpBDubmD4KPrN0HcvhsxpaNcmSq4wi6/ixNCwHYL UBo7joqsqD+lkUadTSRVQe8gJTtP0SaZHwJS9kPINyqdPYEDQuQgGZocdE++rMs1 yy+tGsotRPbQZKrIYwFVjiIvmoVQAMC5O1mp869lYwd1qy0kOemL+EVwVNSwHT13 Ii5izWEkEDg= =wGTN -----END PGP SIGNATURE-----