CVE-2020-4003 VMWare SD-WAN Orchestrator (SQL Injection)
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.
A SQL Injection vulnerability was disclosed in VMware’s SD WAN Orchestrator. At a minimum, SQL Injection attacks allow for potential information disclosure and a cleverly crafted attack could cause web shells to be dropped on the victim. This could allow for remote code execution on the victim with the privileges of the user on the host machine.
Watch the video to learn more about this and other important vulnerabilities.
The CVSS Base score of this vulnerability has not yet been assigned by NVD. VMware has self-assessed this vulnerability at Medium 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
SD-WAN Orchestrator v3.x and 4.x suffer from this vulnerability. The vulnerability has been fixed in version 4.0.1 and 3.3.2 p3 build 3.3.2-GA-20201103, 3.4.4 build R344-20201103-GA
This vulnerability was disclosed by Christopher Schneider - Penetration Test Analyst at State Farm.
VMware’s SD WAN Orchestrator provides centralized, enterprise-wide installation, configuration, and real time monitoring, in addition to orchestrating the data flow through the cloud network. The SD-WAN Orchestrator presents a web-based user interface, where users can configure and manage the following:
Gateways and Gateway Pools
Orchestrator Authentication Modes
An attacker can use a cleverly crafted SQL verbs and can cause a range of damage from disclosure of confidential information to dropping tables in the database to planting a web shell on the victim.
Depending on the privileges associated with VMware SD-WAN Orchestrator processes, an attacker could then install programs, view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. No public exploit is available currently.
Virsec Security Platform (VSP) Support
The Virsec Security Platform (VSP)- Based on the description provided, this SQL Injection vulnerability can be protected by VSP-Web.
Download the full vulnerability report to learn more about this and other important vulnerabilities.