VMware has disclosed multiple security bugs in its software product vRealize Operations for Horizon Adapter. VMware have released fixes for the vulnerabilities urging users to update their devices.
Bugs In vRealize Operations for Horizon Adapter
Reportedly, VMware revealed the existence of multiple bugs in its vRealize Operations for Horizon Adapter. vRealize Operations is a dedicated tool facilitating operation management across AWS, Hyper-V, and vSphere-based virtual, physical, and cloud environments. Whereas, Horizon Adapter instances let the users communicate with Horizon agents installed on virtual machines.
As elaborated in their advisory, there were three different vulnerabilities in the said software. Exploiting these vulnerabilities became possible with the Horizon Adapter running on the system.
One of these bugs, CVE-2020-3943, received a critical severity rating with a CVSS v3 score of 9.0. It was possible due to an insecure configuration of the JMX RMI service. Exploiting this bug could allow an attacker to execute arbitrary codes by remotely accessing the vRealize Operations network.
The second vulnerability, CVE-2020-3944, was due to improper trust store configuration. Consequently, anyone with network access to vRealize Operations could bypass adapter authentication and access sensitive data. This bug received an important severity rating with a CVSS v3 score of 8.6.
Likewise, the third vulnerability, CVE-2020-3945, could lead to information disclosure due to incorrect pairing implementation between the vRealize Operations for Horizon Adapter and Horizon View. It attained a moderate severity rating with a CVSS v3 score of 5.3.
Apart from this information, VMware has shared no technical details about the exploitation of the vulnerabilities.
VMware Released Fixes
The three security bugs caught the attention of security researcher An Trinh from Viettel Cyber Security who then reported the flaws to VMware. Consequently, the vendors patched the bugs with updated software versions.
Specifically, the vulnerabilities affected the vRealize Operations for Horizon Adapter versions 6.6.x and 6.7.x. Hence, VMware released the patches with versions 6.6.1 and 6.7.1 respectively.
Users must ensure that their devices are running on the latest patched versions to avoid issue.
Let us know your thoughts in the comments.