Important

VMSA-2020-0025
6.3- 7.5
2020-11-18
2020-11-18 (Initial Advisory)
CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003
VMware SD-WAN Orchestrator updates address multiple security vulnerabilities (CVE-2020-3984, CVE-2020-3985, CVE-2020-4000, CVE-2020-4001, CVE-2020-4002 ,CVE-2020-4003)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products

VMware SD-WAN Orchestrator (SD-WAN Orchestrator)

2. Introduction

Multiple vulnerabilities in SD-WAN Orchestrator were privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products. VMware-hosted SD-WAN Orchestrators have been patched for these issues.

3a. SQL injection vulnerability due to improper input validation (CVE-2020-3984)

Description

The SD-WAN Orchestrator does not apply correct input validation which allows for SQL-injection. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access.

Resolution

To remediate CVE-2020-3984 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
SD-WAN Orchestrator
4.x
Any
CVE-2020-3984
important
Not affected
N/A
N/A
SD-WAN Orchestrator
3.x
N/A
CVE-2020-3984
important
3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA
None
None
3b. Directory traversal file execution (CVE-2020-4000)

Description

The SD-WAN Orchestrator allows for executing files through directory traversal. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

Known Attack Vectors

An authenticated SD-WAN Orchestrator user is able to traversal directories which may lead to code execution of files.

Resolution

To remediate CVE-2020-4000 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
SD-WAN Orchestrator
4.x
Linux
CVE-2020-4000
moderate
4.0.1
None
None
SD-WAN Orchestrator
3.x
Linux
CVE-2020-4000
moderate
3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA
None
None
3.c Default passwords Pass-the-Hash Attack (CVE-2020-4001

Description

The SD-WAN Orchestrator has default passwords allowing for a Pass-the-Hash Attack. VMware has evaluated the severity of this issue to be in the moderate severity range.

Known Attack Vectors:

SD-WAN Orchestrator ships with default passwords for predefined accounts which may lead to to a Pass-the-Hash attack.
Note: The same salt is used in conjunction with the default password of predefined accounts on freshly installed systems allowing for for Pass-the-Hash-Attacks. That same system could be accessed by an attacker using the default password for the predefined account.

Resolution:

To remediate CVE-2020-4001, change the default passwords of the preconfigured accounts on SD-WAN Orchestrator before production use.

Workarounds:

None

Additional Documentation:

None.

Acknowledgements:

VMware would like to thank Ariel Tempelhof of Realmode Labs for reporting this issue to us.

Notes

Note.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
SD-WAN Orchestrator
4.x
Linux
CVE-2020-4001
n/a
moderate
See Resolution section
None
None
SD-WAN Orchestrator
3.x
Linux
CVE-2020-4001
N/A
moderate
See Resolution section
None
None
3.d API endpoint privilege escalation (CVE-2020-3985)

Description:

The SD-WAN Orchestrator allows an access to set arbitrary authorization levels leading to a privilege escalation issue. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors:

An authenticated SD-WAN Orchestrator user may exploit an application weakness and call a vulnerable API to elevate their privileges.

Resolution:

To remediate CVE-2020-3985, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds:

None.

Additional Documentation:

None.

Acknowledgements:

VMware would like to thank Christopher Schneider - Penetration Test Analyst at State Farm for reporting this issue to us.

Notes:

None.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
SD-WAN Orchestrator
4.x
Linux
CVE-2020-3985
important
Not affected.
N/A
N/A
SD-WAN Orchestrator
3.x
Linux
CVE-2020-3985
important
3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA
None
None
3.e Unsafe handling of system parameters (CVE-2020-4002)

Description:

The SD-WAN Orchestrator handles system parameters in an insecure way. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.

 

Known Attack Vectors:

An authenticated SD-WAN Orchestrator user with high privileges may be able to execute arbitrary code on the underlying operating system.

 

Resolution:

To remediate CVE-2020-4002, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

None

 

Additional Documentation:

None

 

Acknowledgements:

VMware would like to thank Christopher Schneider, Cory Billington and Nicholas Spagnola  - Penetration Test Analysts at State Farm for reporting this issue to us.

 

Notes:
None

 

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
SD-WAN Orchestrator
4.x
Linux
CVE-2020-4002
important
4.0.1
None
None
SD-WAN Orchestrator
3.x
Linux
CVE-2020-4002
important
3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA
None
None
3.f SQL injection Information Disclosure (CVE-2020-4003)

Description:

The SD-WAN Orchestrator was found to be vulnerable to SQL-injection attacks allowing for potential information disclosure. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3.

 

Known Attack Vectors:

An authenticated SD-WAN Orchestrator user may inject code into SQL queries which may lead to information disclosure.

 

Resolution:

To remediate CVE-2020-4003, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

None

 

Additional Documentation:

None

 

Acknowledgements:

VMware would like to thank Christopher Schneider - Penetration Test Analyst at State Farm for reporting this issue to us.

 

Notes:
None

 

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
SD-WAN Orchestrator
4.x
Linux
CVE-2020-4003
moderate
4.0.1
None
None
SD-WAN Orchestrator
3.x
Linux
CVE-2020-4003
moderate
3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA
None
None
4. References
5. Change Log

2020-11-18: VMSA-2020-0025
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2020 VMware Inc. All rights reserved.