Critical

VMSA-2020-0009.1
7.5-10.0
2020-05-08
2020-05-15 (Initial Advisory)
CVE-2020-11651, CVE-2020-11652
vRealize Operations Application Remote Collector (ARC) addresses Authentication Bypass and Directory Traversal vulnerabilities (CVE-2020-11651, CVE-2020-11652)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products

vRealize Operations Application Remote Collector (ARC)

2. Introduction

Two vulnerabilities were disclosed in Salt, an open source project by SaltStack, which have been determined to affect vRealize Operations Application Remote Collector (ARC). Patches and Workarounds are available to address these vulnerabilities in affected VMware products.

3. vRealize Operations Application Remote Collector (ARC) addresses Authentication Bypass (CVE-2020-11651) and Directory Traversal (CVE-2020-11652) vulnerabilities.

Description

The Application Remote Collector (ARC) introduced with vRealize Operations 7.5 utilizes Salt which is affected by CVE-2020-11651 and CVE-2020-11652. VMware has evaluated CVE-2020-11651 (Authentication Bypass) to be in the Critical severity range with a maximum CVSSv3 base score of 10.0 and CVE-2020-11652 (Directory Traversal) to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

CVE-2020-11651 (Authentication Bypass) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent to. CVE-2020-11652 (Directory Traversal) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to access the entirety of the ARC filesystem.

Resolution

To remediate CVE-2020-11651 and CVE-2020-11652 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below to affected ARC deployments.

Workarounds

Workarounds for CVE-2020-11651 and CVE-2020-11652 have been documented in the VMware Knowledge Base article listed in the "Workarounds" column of the "Response Matrix" below.

Additional Documentation

Patches for CVE-2020-11651 and CVE-2020-11652 must be manually applied directly to affected ARC deployments. Instructions for doing so have been added to KB79031.

Notes

None.

Acknowledgements

None.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Virtual Appliance
Virtual Appliance
CVE-2020-11651, CVE-2020-11652
critical
ARC
8.0.x
Virtual Appliance
CVE-2020-11651, CVE-2020-11652
10.0
critical
ARC
7.5.0
Virtual Appliance
CVE-2020-11651, CVE-2020-11652
critical
4. References

Downloads and Documentation:

Application Remote Collector (ARC) 8.1.0.38178 Build 16187903
https://my.vmware.com/web/vmware/details?downloadGroup=VROPS-810&productId=991&rPId=45691
 

Application Remote Collector (ARC) 8.0.1.38184 Build 16189281
https://my.vmware.com/web/vmware/details?downloadGroup=VROPS-801&productId=940&rPId=40733
 

Application Remote Collector (ARC) 7.5.0.38179 Build 16188146
https://my.vmware.com/web/vmware/details?downloadGroup=VROPS-750&productId=875&rPId=32115

Workarounds:
https://kb.vmware.com/s/article/79031

3rd Party Disclosure:
https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652

FIRST CVSSv3 Calculator:
CVE-2020-11651 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-11652 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5. Change Log

2020-05-08 VMSA-2020-0009
Initial security advisory.

2020-05-15 VMSA-2020-0009.1
Added remediation information and clarification that the affected virtual appliance is the vRealize Operations Application Remote Collector (ARC).

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2020 VMware Inc. All rights reserved.