Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4113
VMware SD-WAN Orchestrator updates address multiple security
vulnerabilities
19 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware SD-WAN Orchestrator (SD-WAN Orchestrator)
Publisher: VMWare
Operating System: Virtualisation
VMware ESX Server
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Increased Privileges -- Existing Account
Access Confidential Data -- Existing Account
Unauthorised Access -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-4003 CVE-2020-4002 CVE-2020-4001
CVE-2020-4000 CVE-2020-3985 CVE-2020-3984
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2020-0025.html
- --------------------------BEGIN INCLUDED TEXT--------------------
VMware SD-WAN Orchestrator (SD-WAN Orchestrator)
Important
Advisory ID: VMSA-2020-0025
CVSSv3 Range: 6.3- 7.5
Issue Date: 2020-11-18
Updated On: 2020-11-18 (Initial Advisory)
CVE(s): CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001,
CVE-2020-4002 ,CVE-2020-4003
Synopsis: VMware SD-WAN Orchestrator updates address multiple security
vulnerabilities (CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001,
CVE-2020-4002 ,CVE-2020-4003)
2. Introduction
Multiple vulnerabilities in SD-WAN Orchestrator were privately reported to
VMware. Patches and workarounds are available to remediate or workaround this
vulnerability in affected VMware products. VMware-hosted SD-WAN Orchestrators
have been patched for these issues.
3a. SQL injection vulnerability due to improper input validation
(CVE-2020-3984)
Description
The SD-WAN Orchestrator does not apply correct input validation which allows
for SQL-injection. VMware has evaluated the severity of this issue to be in the
Important severity range with a maximum CVSSv3 base score of 7.1.
Known Attack Vectors
An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call
using specially crafted SQL queries which may lead to unauthorized data access.
Resolution
To remediate CVE-2020-3984 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this
issue to us.
Response Matrix
Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional
On Identifier Documentation
SD-WAN 4.x Any CVE-2020-3984 7.1 important Not affected N/A N/A
Orchestrator
3.3.2 p3 build
SD-WAN 3.x N/A CVE-2020-3984 7.1 important 3.3.2-GA-20201103, None None
Orchestrator 3.4.4 build
R344-20201103-GA
3b. Directory traversal file execution (CVE-2020-4000)
Description
The SD-WAN Orchestrator allows for executing files through directory
traversal. VMware has evaluated the severity of this issue to be in the
Moderate severity range with a maximum CVSSv3 base score of 6.5.
Known Attack Vectors
An authenticated SD-WAN Orchestrator user is able to traversal directories
which may lead to code execution of files.
Resolution
To remediate CVE-2020-4000 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this
issue to us.
Response Matrix
Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional
On Identifier Documentation
SD-WAN 4.x Linux CVE-2020-4000 6.5 moderate 4.0.1 None None
Orchestrator
3.3.2 p3 build
SD-WAN 3.x Linux CVE-2020-4000 6.5 moderate 3.3.2-GA-20201103, None None
Orchestrator 3.4.4 build
R344-20201103-GA
3.c Default passwords Pass-the-Hash Attack (CVE-2020-4001
Description
The SD-WAN Orchestrator has default passwords allowing for a Pass-the-Hash
Attack. VMware has evaluated the severity of this issue to be in the moderate
severity range.
Known Attack Vectors:
SD-WAN Orchestrator ships with default passwords for predefined accounts which
may lead to to a Pass-the-Hash attack.
Note: The same salt is used in conjunction with the default password of
predefined accounts on freshly installed systems allowing for for
Pass-the-Hash-Attacks. That same system could be accessed by an attacker using
the default password for the predefined account.
Resolution:
To remediate CVE-2020-4001, change the default passwords of the preconfigured
accounts on SD-WAN Orchestrator before production use.
Workarounds:
None
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this
issue to us.
Notes
Note.
Response Matrix:
Product Version Running CVE CVSSv3 Severity Fixed Workarounds Additional
On Identifier Version Documentation
SD-WAN See
Orchestrator 4.x Linux CVE-2020-4001 n/a moderate Resolution None None
section
SD-WAN See
Orchestrator 3.x Linux CVE-2020-4001 N/A moderate Resolution None None
section
3.d API endpoint privilege escalation (CVE-2020-3985)
Description:
The SD-WAN Orchestrator allows an access to set arbitrary authorization levels
leading to a privilege escalation issue. VMware has evaluated the severity of
this issue to be in the Important severity range with a maximum CVSSv3 base
score of 7.5.
Known Attack Vectors:
An authenticated SD-WAN Orchestrator user may exploit an application weakness
and call a vulnerable API to elevate their privileges.
Resolution:
To remediate CVE-2020-3985, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Christopher Schneider - Penetration Test Analyst at
State Farm for reporting this issue to us.
Notes:
None.
Response Matrix:
Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional
On Identifier Documentation
SD-WAN 4.x Linux CVE-2020-3985 7.5 important Not affected. N/A N/A
Orchestrator
3.3.2 p3 build
SD-WAN 3.x Linux CVE-2020-3985 7.5 important 3.3.2-GA-20201103, None None
Orchestrator 3.4.4 build
R344-20201103-GA
3.e Unsafe handling of system parameters (CVE-2020-4002)
Description:
The SD-WAN Orchestrator handles system parameters in an insecure way. VMware
has evaluated the severity of this issue to be in the Important severity range
with a maximum CVSSv3 base score of 7.2.
Known Attack Vectors:
An authenticated SD-WAN Orchestrator user with high privileges may be able to
execute arbitrary code on the underlying operating system.
Resolution:
To remediate CVE-2020-4002, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgements:
VMware would like to thank Christopher Schneider, Cory Billington and Nicholas
Spagnola - Penetration Test Analysts at State Farm for reporting this issue to
us.
Notes:
None
Response Matrix:
Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional
On Identifier Documentation
SD-WAN 4.x Linux CVE-2020-4002 7.2 important 4.0.1 None None
Orchestrator
3.3.2 p3 build
SD-WAN 3.x Linux CVE-2020-4002 7.2 important 3.3.2-GA-20201103, None None
Orchestrator 3.4.4 build
R344-20201103-GA
3.f SQL injection Information Disclosure (CVE-2020-4003)
Description:
The SD-WAN Orchestrator was found to be vulnerable to SQL-injection attacks
allowing for potential information disclosure. VMware has evaluated the
severity of this issue to be in the Moderate severity range with a maximum
CVSSv3 base score of 6.3.
Known Attack Vectors:
An authenticated SD-WAN Orchestrator user may inject code into SQL queries
which may lead to information disclosure.
Resolution:
To remediate CVE-2020-4003, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.
Workarounds:
None
Additional Documentation:
None
Acknowledgements:
VMware would like to thank Christopher Schneider - Penetration Test Analyst at
State Farm for reporting this issue to us.
Notes:
None
Response Matrix:
Product Version Running CVE CVSSv3 Severity Fixed Version Workarounds Additional
On Identifier Documentation
SD-WAN 4.x Linux CVE-2020-4003 6.3 moderate 4.0.1 None None
Orchestrator
3.3.2 p3 build
SD-WAN 3.x Linux CVE-2020-4003 6.3 moderate 3.3.2-GA-20201103, None None
Orchestrator 3.4.4 build
R344-20201103-GA
4. References
Fixed Version(s) and Release Notes:
4.0.1
https://www.vmware.com/go/download-sd-wan
https://docs.vmware.com/en/VMware-SD-WAN-by-VeloCloud/4.0.1/rn/
VMware-SD-WAN-401-Release-Notes.html
3.4.4
https://www.vmware.com/go/download-sd-wan
3.3.2 P3
https://www.vmware.com/go/download-sd-wan
Additional Documentation:
None
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3984
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3985
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4001
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4003
FIRST CVSSv3 Calculator:
CVE-2020-3984 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/
PR:L/UI:N/S:U/C:H/I:L/A:N
CVE-2020-4000 -https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/
PR:N/UI:N/S:U/C:L/I:H/A:N
CVE-2020-3985 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/
PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2020-4002 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2020-4003 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:L/UI:N/S:U/C:L/I:L/A:L
5. Change Log
2020-11-18: VMSA-2020-0025
Initial security advisory.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX7X7z+NLKJtyKPYoAQjmpA//c1VTozxMzLKcvAojdDLX6dbpI/QEPyT3
Ix10gy2mz3ftR4L2bhvU/z47TIW8TKrXP0rKMGD/IrEfwIqn2l2nwZTTCWOhULmG
cc/If+zAHlra5w7F/QGWSjJaLtwatTGYGTzUV4tb130y/ErycAcp5POT/dUcneqO
gaRoNbiqBN3lmRo3lW04IxHLM4jhrYadQawG32lDwgraBmFTWK73VRvP2RO4UWYi
4ATHaixIJkgkZ2No/H8d4aFgjvv4uWog/ITuqXs+NJK2Mc5I++XJVoSwGW4AP8hg
c8QLYoOYW6dZF3p1Acm/Xu9RvjxA74rSyb/YZtZJdcyCpoAPdBEgttmhHoE2Rw1a
XImr3BWfsD67GaL8S1Y07Fvz4Exyb5Z3f3hCH9j1inLS66cLky7xSMKTYLj3B3R0
ozZWMhTF9uqtf0UOirT9CkYcNcNVAfzgkJQYcA0b+YXKu3Ihd6OO9zkQc8r9WzwV
lthYX6nvCS0FjWBvoKx9GhFPFpBDubmD4KPrN0HcvhsxpaNcmSq4wi6/ixNCwHYL
UBo7joqsqD+lkUadTSRVQe8gJTtP0SaZHwJS9kPINyqdPYEDQuQgGZocdE++rMs1
yy+tGsotRPbQZKrIYwFVjiIvmoVQAMC5O1mp869lYwd1qy0kOemL+EVwVNSwHT13
Ii5izWEkEDg=
=wGTN
-----END PGP SIGNATURE-----