Author Archives: Edward Hawkins

VMSA-2018-0002 and VMSA-2018-0004

Update 01/10/18: VMSA-2018-0004 has been released detailing Hypervisor-Assisted Guest Mitigation fixes. An explanation of the different types of mitigations being provided by VMware can be found in KB52245. Please note that if you have applied the patches listed in VMSA-2018-0004 you do not need the patches listed in VMSA-2018-0002.

Update 01/04/18: OS vendors have begun issuing patches that address CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 for their operating systems. For these patches to be fully functional in a guest OS additional ESXi and vCenter Server updates will be required. These updates are being given the highest priority. Please sign up to the Security-Announce mailing list to be alerted when these updates are available.

Today VMware has released the following new security advisory:

VMSA-2018-0002 – VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

This advisory documents remediation for known variants of the Bounds-Check Bypass (CVE-2017-5753) and Branch Target Injection (CVE-2017-5715) issues due to speculative execution disclosed today by Google Project Zero. These issues may result in information disclosure from one Virtual Machine to another Virtual Machine that is running on the same host.

A third issue due to speculative execution, Rogue Data Cache Load (CVE-2017-5754), was disclosed along the other two issues. It does not affect ESXi, Workstation, and Fusion because ESXi does not run untrusted user mode code, and Workstation and Fusion rely on the protection that the underlying operating system provides.

The remediation as documented in VMSA-2018-0002, has been present in VMware Cloud on AWS since early December 2017.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.

VMSA-2018-0001

New VMware Security Advisory VMSA-2018-0001

On January 2nd 2018 VMware released the following new security advisory:

VMSA-2018-0001 – vSphere Data Protection (VDP) updates address multiple security issues.

This documents several critical severity issues affecting VDP.

Issue (a) is an authenication bypass vulnerability (CVE-2017-15548). A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.

Issue (b) is an arbitrary file upload vulnerability (CVE-2017-15549). A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.

Issue (c) is a path traversal vulnerability (CVE-2017-15550). A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application.

These issues have been addressed in VDP 6.1.6 and 6.0.7.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2017-0020

Today VMware has released the following new security advisory:

VMSA-2017-0020: VMware AirWatch Console updates address Broken Access Control vulnerability.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to Airwatch Support.

VMSA-2017-0016

Today VMware has released the following new security advisory:

VMSA-2017-0016: VMware AirWatch Console and Launcher for Android updates resolve multiple vulnerabilities.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisories and direct any questions to VMware Support.

VMSA-2017-0004.4

Update 3/17/17: Several revisions of the advisory have been released which provide more workarounds and fixes for our products including DaaS and vROps. Please see the changelog in section 6. for details.

Update 3/14/17: Do not apply the workaround previously provided for vCenter 6.5 as it has been shown to have functional impacts in customer environments. VMSA-2017-0004 will be updated if a viable workaround is confirmed. We have not received reports of problems with the 6.0 workaround.

Greetings from the VMware Security Response Center!

By now I am sure you have all heard about the Apache Struts 2 remote code execution vulnerability identified by CVE-2017-5638 which was disclosed last week. If you haven’t, welcome! You can find the original advisory from Apache here to get yourself caught up. In response, the VMware Security Engineering, Communications, and Response group (vSECR) immediately began investigations into the vulnerability and how it may affect our products. The outcome of these investigations can be found in VMSA-2017-0004.

The product teams are working on getting fixes published as soon as possible. For now, the advisory documents available workarounds that concerned customers can implement today. We also want to clarify that products not listed in this advisory are not affected by CVE-2017-5638. VMSA-2017-0004 will be updated when fixes become available for the listed products.

Please sign up to be notified when the VMSA gets updated with fixes and workarounds here.

That’s it for now.

Drop us a line at security@vmware.com if you have any questions about the advisory.

VMSA-2016-0023 and VMSA-2016-0024

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0023 and VMSA-2016-0024.

VMSA-2016-0023 – VMware ESXi updates address a cross-site scripting issue

These updates address a stored cross-site scripting vulnerability (CVE-2016-7463) in the ESXi Host Client which we have rated as an Important severity issue. The issue can be introduced by an attacker that has permission to manage virtual machines through ESXi Host Client or by tricking the vSphere administrator to import a specially crafted VM.

Just to clarify, no action is required from organizations who are using ESXi 6.5. Those who are on ESXi 6.0 or 5.5 will need to install the ESXi patches listed in VMSA-2016-0023 to resolve this issue.

In addition to our supported ESXi releases, we also have a ESXi Host Client fling available. Even though flings fall under the Technical Preview License and are not meant to be used in a production environment we have provided a fix for this issue in 1.13.0.

Caleb Watt (@calebwatt15) reported this issue to us – great find Caleb!

VMSA-2016-0024 – vSphere Data Protection (VDP) updates address SSH Key-Based authentication issue

This vulnerability (CVE-2016-7456) is resolved by applying the script found in KB2147069. We have investigated possible workarounds for the issue such as disabling SSH but unfortunately they are not feasible. Because an attacker would need to be able to reach port 22 on the VDP appliance to take advantage of the vulnerability, limiting access to this via perimeter and internal security measures can help to mitigate the issue. However, due to the issue’s Critical severity it is strongly advised that customers using VDP apply the fix for this issue immediately.

Marc Ströbel (aka phroxvs) from HvS-Consulting tipped us off to this issue – thanks Marc!

Please sign up to be notified when new and updated VMSAs are published here.

That’s it for now.

Drop us a line at security@vmware.com if you have any questions on these vulnerabilities or advisories.

VMSA-2016-0021 and VMSA-2016-0022

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0021 which documents a Moderate severity issue in Vmware Identity Manager (vIDM) tracked by CVE-2016-5334.

This issue is similar to a directory traversal (def: OWASP) but based on our analysis the only data you can access are files in the /SAAS/WEB-INF and /SAAS/META-INF directories. While these directories have not been found to contain sensitive data, reading them directly is unintended and warranted a fix.

In addition, we would like to clarify that vRealize Automation (vRA) is also called out in this advisory because it consumes vIDM as an RPM and required a fix as well.

We also published VMSA-2016-0022 which documents several issues. While most of the items are straight forward, we would like to clarify the following from issue a:

1. vSphere 6.5 does not ship with a vSphere Client (aka. C# or ‘Thick’ Client).
2. To be safe, we recommend first removing and then reinstalling a fixed version of the vSphere Client.
3. Knowledge Base Article 2089791 is a great resource for directly downloading fixed versions of the vSphere Client.

We have classified the severity of the issues as either ‘Important’ or ‘Moderate’ in accordance with our Security Response Policy.

We also updated VMSA-2016-0005.5 and VMSA-2016-0018.3. Please see section ‘6. Change Log’ in the advisories for details.

Please sign up to be notified when new and updated VMSAs are released here.

That’s it for now.

Drop us a line at security@vmware.com if you have any questions on these vulnerabilities or advisories.

VMSA-2016-0018

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0018 which documents products affected by CVE-2016-5195 – aka: the ‘Dirty COW’ vulnerability. In addition, we have also released Knowledge Base Article 2147515 which documents unaffected products.

There are a few points I’d like to make about our evaluation of this issue and its effect on our products.

We have classified the severity of this issue as ‘Important’ in accordance with our Security Response Policy.

There are 2 requirements that must be met for a product to be considered affected by CVE-2016-5195:

  1. The product must ship with a vulnerable Linux kernel.
  2. There must be a valid attack vector that can be used to exploit the vulnerability.

During our evaluations we found that VMware appliances do indeed ship with a vulnerable Linux kernel and met requirement 1. However, only a select few of these appliances met requirement 2. and are therefore considered affected. These affected products as well as remediation information is documented in VMSA-2016-0018 which will be updated as more fixes become available.

Also, we understand that various automated vulnerability scanners will most likely flag products we have listed as unaffected in KB 2147515 as affected. We want to make it clear that while these products are not affected, we will still be rolling out kernel updates for them in maintenance releases as a precautionary measure.

Please sign up to be notified when new and updated VMSAs are released on the right-side of this page as we will be updating VMSA-2016-0018 over the next few weeks.

That’s it for now.

Drop us a line at security@vmware.com if you have any questions on the vulnerability or advisory.

VMSA-2016-0016

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0016 which documents CVE-2016-7457 – a Critical severity issue in vRealize Operations (vROps).

Due to the severity of this issue we have released emergency patches to resolve the issue in the latest supported versions of the product. Generally speaking, privilege escalations would normally fall into the Important severity category but there is also the possibility that an attacker could stop and delete VMs unrelated to vROps so we rated this issue as Critical. In addition, the fix is scheduled to be rolled into the next release of vROps.

Thanks to Edgar Carvalho for reporting this issue to us. Edgar runs a blog over at http://vman.ch. Great find!

That’s it for now.

Drop us a line at security@vmware.com if you have any questions on the vulnerability or advisory.

VMware Security Advisory VMSA-2016-0015

Greetings from the VMware Security Response Center!

Today we released VMSA-2016-0015 which documents an Important severity issue in VMware Horizon View.

During internal discussions the most common question I have been asked about CVE-2016-7087 is why the issue has been classified as Important rather than Critical. The reason for this is after thorough investigation, it was determined that information you can pull off of the server doesn’t seem to be particularly sensitive. That being said, this is still unintended behavior of our product and so we strongly recommend updating to fixed versions listed in our VMSA.

We also wanted to mention Mike Arnold (Bruk0ut) working with Trend Micro’s Zero Day Initiative for responsibly disclosing this issue to us. Thanks Mike!

That’s it for this week. Stay tuned.

Drop us a line at security@vmware.com if you have any questions.