Home > Blogs > VMware Security & Compliance Blog

Newly Released STIG Validates VMware NSX Meets the Security Hardening Guidance Required for Installment on Department of Defense (DoD) Networks

As the first software-defined networking solution with a published STIG, VMware NSX meets the security hardening guidance required for installment on Department of Defense (DoD) networks. The VMware NSX STIG provides the technical security policies, requirements, and implementation details for applying security concepts to NSX. Agencies within the DoD and other Federal Agencies can now deploy NSX with the STIG guidelines to bring IT agility and security to the data center to help save both time and money.

For more details, see the company press release:

http://www.vmware.com/company/news/releases/vmw-newsfeed.Newly-Released-STIG-Validates-VMware-NSX-Meets-the-Security-Hardening-Guidance-Required-for-Installment-on-Department-of-Defense-%28DoD%29-Networks.2093065.html

VMSA-2016-0014

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0014 which documents several critical and important severity issues in VMware Workstation and VMware Tools. Below are some more detailed explanations of these issues.

Issues a. and b. are very similar – they are both rated critical, the outcome of exploitation is the same, and they both have a viable workaround. We have reserved CVE-2016-7081, CVE-2016-7082, CVE-2016-7083, and CVE-2016-7084 for these issues. In summary, a Windows-based virtual machine can execute arbitrary code in the VMware Workstation hypervisor it is running on so long as Workstation is also running on Windows. Virtual printing must be enabled for exploitation to be possible and although VMware Workstation for Windows ships with virtual printing disabled by default, we understand that this is a popular feature that many of our customers use. Thanks to Mateusz Jurczyk working with Google’s Project Zero who reported the majority of these issues. In addition we would like to thank the development teams at Cortado for providing fixes for these issues in such a short amount of time.

Issue c. is a privilege escalation by way of two separate NULL pointer dereferences that we have rated as important. We have reserved CVE-2016-7079 and CVE-2016-7080 for these issues. We want to point out that while we list ESXi and Fusion as relevant products this is only because many of our customers prefer to deploy updated VMware Tools via the hypervisor rather than downloading the stand alone version we have made available. Also, please note that this issue only affects Apple OSX-based virtual machines which are only supported in ESXi and Fusion, and that you do not necessarily need to update your hypervisor to resolve these issues – just updating VMware Tools in the OSX guest is sufficient. Thanks to Dr. Fabien Duchene “FuzzDragon” and Jian Zhu who independently reported these issues to us.

Issues d. and e. are similar in severity (both are rated as important), as well as the outcome of exploitation. We reserved CVE-2016-7085 and CVE-2016-7086 for these issues. Issue d. is a dll-hijack which is typically used by attackers to persist on a compromised machine after some kind of exploitation has already occurred, however it can also be used in conjunction with social engineering and/or phishing techniques as an initial means of exploitation. Issue e. has the same attack vectors, but is only exploitable at the time VMware Workstation is installed on a Windows-based OS. Stefan Kanthak, Anand Bhat, and Himanshu Mehta independently reported the dll-hijack to us while Adam Bridge reported the .exe loading issue. Thanks to all!

As always please drop us a line at security@vmware.com if you have any questions or comments.

VMSA-2016-0013

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0013 which documents a local privilege escalation in vRealize Automation (vRA) and VMware Identity Manager (vIDM) as well as a remote code execution in vRA.

We thought we should go a little more in depth about the vulnerabilities themselves to better explain how they may impact your environment.

The local privilege escalation identified by CVE-2016-5335 affects both vIDM 2.x and vRA 7.x. Because this is a privilege escalation an attacker will need to already have access to a local low-privileged account on the appliance for exploitation to be possible.

The vRA remote code execution identified by CVE-2016-5336 allows for the compromise of a low-privileged account via port 40002. This issue only affects vRA 7.0.x as the vulnerable service was introduced in 7.0. Successful exploitation has limited gains as the service account was designed to use minimal privileges. This is why the issue has been classified as important and not critical.

We want to stress that while both of these issues fall in the important severity range (please see our response policies for more information) when chained together they present the opportunity for a complete compromise of a vRA 7.0.x appliance. We strongly recommend updating to vRA 7.1 as soon as possible. Customers that cannot upgrade vRA immediately can implement the workaround documented in KB2146585 and/or limit access to port 40002 via an external firewall as a mitigation.

On a separate note, we also updated VMSA-20150009.4 since we learned that the vRealize Operations appliance before version 6.2 is affected by CVE-2015-6934.

As always please drop us a line at security@vmware.com if you have any questions or comments.

New VMware Security Advisory VMSA-2016-0012 and Updated Advisory

Today VMware has released the following new and updated security advisories:
New
VMSA-2016-0012
Updated
VMSA-2016-0007.1

The new advisory documents the left-over public ssh key that was used during the development process of VMware Photon OS OVAs 1.0, CVE-2016-5333.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA Improvements

Greetings from the VMware Security Response Center!

We’ve made some minor improvements in our latest VMSA based on community feedback and I thought we should share what these changes are and why we’ve made them.

Added an overall severity to the advisory itself in the header section

This is to better inform you, the customer, of the severity level of the VMSA as a whole. The severity level in this field will always be equal to the highest severity of any individual vulnerability mentioned in the VMSA. For details on our severity classifications, please see our VMware Security Response Policy.

Overhauled the ‘Relevant Releases’ section

We have renamed this section ‘Relevant Products’ and simplified it. Previously we would attempt to enumerate all releases of affected products and list them. We have found this section to be somewhat confusing for our customers. The idea of this section was to provide you with a quick reference to determine if the advisory was applicable to your environment. We have further simplified this to simply list product lines rather than versions. If you have a product from this list in your environment, you should definitely read the rest of the advisory.

Added a severity column to the section “3. Problem Description” tables

It is commonplace that a single vulnerability may affect our different products in various ways. This column will allow us to better describe the severity of an issue as it relates to a specific product.

Added a workaround column to the section “3. Problem Description” tables

This column will be used to point to knowledge base articles which describe workarounds that you can perform immediately to mitigate or remove the possibility of exploitation that the vulnerability presents. Please note, we always recommend upgrading to the product versions listed in the table but we also understand this may take time from a practical standpoint. There will not always be a workaround for every issue, but we will provide them whenever they are possible and functionally feasible.

So those are the improvements we have added to the VMSA. We will not be updating previous VMSAs with this information, but these will persist in all future VMSAs. We hope this will help to simplify and clarify the issues we disclose in these advisories.

Please, drop us a line at security@vmware.com if you have any questions, comments, or suggestions.
————————
Edward Hawkins
Senior Program Manager
VMware Security Response Center
security@vmware.com

New VMware Security Advisory VMSA-2016-0010

Today VMware has released the following new security advisory:

VMSA-2016-0010 – VMware product updates address multiple important security issues

This addresses a DLL hijacking issue in Windows-based VMware Tools “Shared Folders” (HGFS) feature (CVE-2016-5330) and an HTTP Header injection issue in vCenter Server and ESXi (CVE-2016-5331).

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMware releases OVAL content editor open source project

Hello Everyone,

Today, VMware releases SCAP 1.3 draft spec compliant Open Source project for OVAL content editor. A couple of months back VMware released an SCAP compliance assessment and remediation app for FREE. The security and compliance community loved it and came back to us asking for an easier and simpler way to write OVAL assessment rules and generate XCCDF out of it instead of handcrafting the XMLs. We listened and responded!

Continue reading

New VMware Security Advisory VMSA-2016-0009 and Updated Advisories

Today, VMware has released the following new and updated security advisories:
New
VMSA-2016-0009
Updated
VMSA-2015-0007.6
VMSA-2015-0009.3
VMSA-2016-0005.4

The new advisory addresses an important cross-site scripting issue in the vSphere Web Client, CVE-2015-6931. The issue is present on the server side in vCenter Server running on Windows and in vCenter Server Appliance.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisories VMSA-2016-0007 and VMSA-2016-0008

Today VMware has released the following new security advisories:

VMSA-2016-0007 – VMware NSX and vCNS product updates address a critical information disclosure vulnerability.
VMSA-2016-0008 – VMware vRealize Log Insight addresses important and moderate security issues.

Information disclosure issue (CVE-2016-2079) may allow a remote attacker to gain access to sensitive information on VMware NSX and vCNS with SSL-VPN enabled. By exploiting the stored cross-site scripting issue (CVE-2016-2081) and cross-site request forgery issue (CVE-2016-2082) in VMware vRealize Log Insight, an attacker can hijack an authenticated user’s session and also may replace trusted content in the Log Insight UI without the user’s authorization.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

New VMware Security Advisory VMSA-2016-0006 and Updated Advisories

Today VMware has released the following new and updated security advisories:
New
VMSA-2016-0006
Updated
VMSA-2015-0007.5
VMSA-2016-0005.1

The new advisory addresses an important cross-site scripting issue in the vSphere Web Client, CVE-2016-2078. The issue is present on the server side when vCenter Server is running on Windows.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.