This report is about a vulnerability found in the VMWare ESXI software known as CVE-2020-3955. The vulnerability is caused by the improper validation of user-supplied inputs. The software flaw exists in VMWare ESXI versions 6.5 and 6.7 with patches available for both versions.
This vulnerability exists in the Virtual Machine Attribute Viewer in an unknown code block. The root cause seems to be the failure of the software to neutralize any HTML script before viewing the virtual machine attributes.
The TTPs Used to Exploit VMWare ESXI Vulnerability
A remote attacker can exploit CVE-2020-3955 by injecting malicious code like an HTML file into a web page. When the web page is viewed by a potential victim, the script is run using the security context of the website targeting the victim’s web browser. The goal of this malicious script is to steal the victim’s authentication token found in the browser cookies.
Once the authentication cookie is successfully stolen, the bad actor can access the ESXI host with the privileges of the targeted user. The threat actor can then manipulate the ESXI host however they want and identify more potential targets.
Utilizing access to the hypervisor, the bad actor can modify a virtual machine and use it as a platform for lateral movement activities.
It is also possible that the bad actor may be able to inject an arbitrary html file into the website, allowing for the chance to engage in more attacks against other visitors.
How CVE-2020-3955 Affects You
Exploitation of this VMWare ESXI vulnerability could result in unauthorized access to a critical asset within the environment. This may lead to immense financial damages as the threat actor modifies and controls hosts on the network. Infiltration presents possible opportunities for the bad actor to abuse a user account on an environmental level depending on the network setup.
What You Can Do
We recommend that you do the following to remediate VMWare ESXI vulnerability CVE-2020-3955:
- Implement the patch linked below on any hosts running VMWare ESXI 6.7 or 6.5 in your environment.
- Consider forwarding ESXI logs to your siem over syslog to allow time for detection of suspicious activity.
- Utilize tools like CyberArk to limit access to your VMWare resources to only specified users.
Additional Ways to Find Help
IBM X-Force Exchange: https://exchange.xforce.ibmcloud.com/vulnerabilities/180985
- MITRE Mapping(s): https://attack.mitre.org/techniques/T1539/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.
Could your cybersecurity plan be all talk and no action? Contact Avertium today to schedule a free tabletop diagnostic, so you don’t have to find out the hard way.
Show No Weakness