CVE-2020-3952 proposal

Question

Opened this issue 5 years ago · 1 comments

Hi,

You can find an attempt to match exploitation of the vmware vmdir CVE-2020-3952 by checking for ldap modify operation on Administrators built-in group here https://github.com/gelim/CVE-2020-3952/blob/master/vmware.rules

That may require some more tuning. So I write here that FYI without specific PR.

Cheers,

-- Mathieu

Answer 1 · 2020-08-05T00:17:33.000Z

Hi @gelim, thanks for your report.
Have you successfully exploited this? If yes do you have any PCAP file of exploitation? So we could make a signature for both attempt and successful exploitaion stages.
I think we are talking about https://github.com/guardicore/vmware_vcenter_cve_2020_3952/blob/master/exploit.py