VMware Security Advisory

VMSA-2020-0009 – VMware vRealize Operations Manager Vulnerability

Updated on 16 May 2020 with fixed versions of vRealize Operations.

VMware has released a new security advisory VMSA-2020-0009: VMware vRealize Operations Manager addresses Authentication Bypass and Directory Traversal vulnerabilities.

Two vulnerabilities were disclosed in Salt, an open source project by SaltStack, which is used by VMware vRealize Operations Manager. This advisory documents the remediation of one critical and one important issues. The Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 utilizes Salt and as such presents two vulnerabilities, one authentication bypass and one directory traversal.

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2020-11651 to the authentication bypass vulnerability and CVE-2020-11652 to the directory traversal.

A malicious actor with network access to port 4505 or 4506 on the ARC may take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent to. For the second vulnerability, a malicious actor with network access to port 4505 or 4506 on the ARC may access the entirety of the ARC filesystem.

VMSA-2020-0009 – Affected Products and Resolutions

Affected vRealize Operations Manager versions and resolutions:

  • vROPS 7.0.0 – unaffected
  • vROPS 7.5.0 – affected, update available pending, workaround available
  • vROPS 8.0.x – affected, update available pending, workaround available
  • vROPS 8.1.0 – affected, update available pending, workaround available

VMSA-2020-0009 – Fixed Versions

Updated on 16 May 2020

VMware released updated versions for vRealize Operations which resolve both vulnerabilities:

  • vROPS Build 16188146
  • vROPS Build 16189281
  • vROPS Build 16187903

VMSA-2020-0009 – Workaround

Knowledge Base article 79031 documents the workaround applicable to Application Remote Collector 7.5.0, 8.0, 8.0.1, and 8.1.0.

After the workaround is applied, the following features will be impacted:

  • Ability to install new agents
  • Ability to uninstall existing agents
  • Add/Edit of Activate/Deactivate a plugin/ICMP/UCP/TCP/Remote Checks/Custom Script
  • Stop/Start Agent
  • Ability to do content upgrade

Log into the Application Remote Collector as root via SSH or console pressing ALT+F1 in a Console to log in.

Run the following command to back up the current iptables rules:

iptables-save > /ucp/iptables.out

Run the following commands to add the iptables rules to block salt docker ports:

iptables -I DOCKER 1 -p tcp –dport 4505 -j DROP
iptables -I DOCKER 1 -p tcp –dport 4506 -j DROP

Repeat steps 1-3 on all Application Remote Collectors.

The workaround is not persistent and will revert to default when Application Remote Collector is restarted. Steps 1-3 will need to be re-applied after a restart.

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

Constantin Ghioc

I usually play with vSphere API, Ansible, vRealize Automation, vRealize Orchestrator, and different AWS tools. In my other life I’m a husband and a father, an amateur photographer and a Go enthusiast.

Leave a Reply