A critical informational disclosure bug was discovered in VMware’s Directory Service (vmdir) could allows a cyber-attacker to lay bare contents of entire corporate virtual infrastructures. The vmdir is part of VMware’s vCenter Server product, which provides centralized management of virtualized hosts and virtual machines (VMs) from a single console. The vmdir is the central component to the vCenter single sign on(SSO).
The critical flaw (CVE-2020-3952) was rated 10 out of 10 on the CVSS v.3 vulnerability severity scale. At issue is a poorly implemented access control, according to the bug advisory, which could allow a malicious actor to bypass authentication mechanisms.
Administrators are encouraged to apply the VMware patches KB78543 as soon as possible.