Updated on 16 May 2020 with fixed versions of vRealize Operations.
VMware has released a new security advisory VMSA-2020-0009: VMware vRealize Operations Manager addresses Authentication Bypass and Directory Traversal vulnerabilities.
Two vulnerabilities were disclosed in Salt, an open source project by SaltStack, which is used by VMware vRealize Operations Manager. This advisory documents the remediation of one critical and one important issues. The Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 utilizes Salt and as such presents two vulnerabilities, one authentication bypass and one directory traversal.
The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2020-11651 to the authentication bypass vulnerability and CVE-2020-11652 to the directory traversal.
A malicious actor with network access to port 4505 or 4506 on the ARC may take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent to. For the second vulnerability, a malicious actor with network access to port 4505 or 4506 on the ARC may access the entirety of the ARC filesystem.
VMSA-2020-0009 – Affected Products and Resolutions
Affected vRealize Operations Manager versions and resolutions:
- vROPS 7.0.0 – unaffected
- vROPS 7.5.0 – affected, update available
pending, workaround available - vROPS 8.0.x – affected, update available
pending, workaround available - vROPS 8.1.0 – affected, update available
pending, workaround available
VMSA-2020-0009 – Fixed Versions
Updated on 16 May 2020
VMware released updated versions for vRealize Operations which resolve both vulnerabilities:
- vROPS 7.5.0.38179 Build 16188146
- vROPS 8.0.1.38184 Build 16189281
- vROPS 8.1.0.38178 Build 16187903
VMSA-2020-0009 – Workaround
Knowledge Base article 79031 documents the workaround applicable to Application Remote Collector 7.5.0, 8.0, 8.0.1, and 8.1.0.
After the workaround is applied, the following features will be impacted:
- Ability to install new agents
- Ability to uninstall existing agents
- Add/Edit of Activate/Deactivate a plugin/ICMP/UCP/TCP/Remote Checks/Custom Script
- Stop/Start Agent
- Ability to do content upgrade
Log into the Application Remote Collector as root via SSH or console pressing ALT+F1 in a Console to log in.
Run the following command to back up the current iptables rules:
iptables-save > /ucp/iptables.out
Run the following commands to add the iptables rules to block salt docker ports:
iptables -I DOCKER 1 -p tcp –dport 4505 -j DROP
iptables -I DOCKER 1 -p tcp –dport 4506 -j DROP
Repeat steps 1-3 on all Application Remote Collectors.
The workaround is not persistent and will revert to default when Application Remote Collector is restarted. Steps 1-3 will need to be re-applied after a restart.
You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.