VMSA-2020-0009: vRealize Operations Authentication Bypass and Directory Traversal Vulnerabilities

Reading time: 2 minutes

I just wanted to provide a quick post to bring attention to the latest VMware Security advisory VMSA-2020-0009. The products affected include:

  • vRealize Operations 7.5.0
  • vRealize Operations 8.0.x
  • vRealize Operations 8.1.0

If you utilize the vRealize Operations Application Remote Collector (ARC) appliance to monitor operating systems or applications via the Telegraf agents, you should immediately implement the workaround documented in VMware KB79031.

While two vulnerabilities were announced, both relating to Salt, an open-source project by SaltStack, the authentication bypass vulnerability (CVE-2020-11651) received a CVSSv3 base score of 10.0. Per the VMware security announcement:

CVE-2020-11651 (Authentication Bypass) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent to.

At this time, remediation for the vulnerability is not available from VMware. The documented workaround provided in VMware KB79031 blocks network traffic to TCP ports 4505 and 4506. The workaround must be applied to all Application Remote Collector appliances. It’s important to note that the workaround is NOT persistent and must be reapplied after a reboot of the Application Remote Collector appliance. Once the workaround has been applied, existing end-points on which agents have been installed will continue to send metric and service data. However, the following features will no longer function:

  • Ability to install new agents
  • Ability to uninstall existing agents
  • Add/Edit of Activate/Deactivate a plugin/ICMP/UCP/TCP/Remote Checks/Custom Script
  • Stop/Start Agent
  • Ability to do a content upgrade

Please continue to monitor VMSA-2020-0009 as it will be updated when permanent fixes become available.

Update 05-15-2020: Fixes have been released by VMware for all affect versions. Download links can be found in the security advisory as well as below:


See Also


Get Notified of Future Posts

Follow Me

LinkedIn Icon
Twitter/X Icon
Threads Icon
RSS Icon

Recent Posts