Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: August 2016

Monthly Archives: August 2016

VMSA-2016-0013

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0013 which documents a local privilege escalation in vRealize Automation (vRA) and VMware Identity Manager (vIDM) as well as a remote code execution in vRA.

We thought we should go a little more in depth about the vulnerabilities themselves to better explain how they may impact your environment.

The local privilege escalation identified by CVE-2016-5335 affects both vIDM 2.x and vRA 7.x. Because this is a privilege escalation an attacker will need to already have access to a local low-privileged account on the appliance for exploitation to be possible.

The vRA remote code execution identified by CVE-2016-5336 allows for the compromise of a low-privileged account via port 40002. This issue only affects vRA 7.0.x as the vulnerable service was introduced in 7.0. Successful exploitation has limited gains as the service account was designed to use minimal privileges. This is why the issue has been classified as important and not critical.

We want to stress that while both of these issues fall in the important severity range (please see our response policies for more information) when chained together they present the opportunity for a complete compromise of a vRA 7.0.x appliance. We strongly recommend updating to vRA 7.1 as soon as possible. Customers that cannot upgrade vRA immediately can implement the workaround documented in KB2146585 and/or limit access to port 40002 via an external firewall as a mitigation.

On a separate note, we also updated VMSA-20150009.4 since we learned that the vRealize Operations appliance before version 6.2 is affected by CVE-2015-6934.

As always please drop us a line at security@vmware.com if you have any questions or comments.

New VMware Security Advisory VMSA-2016-0012 and Updated Advisory

Today VMware has released the following new and updated security advisories:
New
VMSA-2016-0012
Updated
VMSA-2016-0007.1

The new advisory documents the left-over public ssh key that was used during the development process of VMware Photon OS OVAs 1.0, CVE-2016-5333.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA Improvements

Greetings from the VMware Security Response Center!

We’ve made some minor improvements in our latest VMSA based on community feedback and I thought we should share what these changes are and why we’ve made them.

Added an overall severity to the advisory itself in the header section

This is to better inform you, the customer, of the severity level of the VMSA as a whole. The severity level in this field will always be equal to the highest severity of any individual vulnerability mentioned in the VMSA. For details on our severity classifications, please see our VMware Security Response Policy.

Overhauled the ‘Relevant Releases’ section

We have renamed this section ‘Relevant Products’ and simplified it. Previously we would attempt to enumerate all releases of affected products and list them. We have found this section to be somewhat confusing for our customers. The idea of this section was to provide you with a quick reference to determine if the advisory was applicable to your environment. We have further simplified this to simply list product lines rather than versions. If you have a product from this list in your environment, you should definitely read the rest of the advisory.

Added a severity column to the section “3. Problem Description” tables

It is commonplace that a single vulnerability may affect our different products in various ways. This column will allow us to better describe the severity of an issue as it relates to a specific product.

Added a workaround column to the section “3. Problem Description” tables

This column will be used to point to knowledge base articles which describe workarounds that you can perform immediately to mitigate or remove the possibility of exploitation that the vulnerability presents. Please note, we always recommend upgrading to the product versions listed in the table but we also understand this may take time from a practical standpoint. There will not always be a workaround for every issue, but we will provide them whenever they are possible and functionally feasible.

So those are the improvements we have added to the VMSA. We will not be updating previous VMSAs with this information, but these will persist in all future VMSAs. We hope this will help to simplify and clarify the issues we disclose in these advisories.

Please, drop us a line at security@vmware.com if you have any questions, comments, or suggestions.
————————
Edward Hawkins
Senior Program Manager
VMware Security Response Center
security@vmware.com

New VMware Security Advisory VMSA-2016-0010

Today VMware has released the following new security advisory:

VMSA-2016-0010 – VMware product updates address multiple important security issues

This addresses a DLL hijacking issue in Windows-based VMware Tools “Shared Folders” (HGFS) feature (CVE-2016-5330) and an HTTP Header injection issue in vCenter Server and ESXi (CVE-2016-5331).

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.