VMware Security Advisory VMSA-2018-0003

VMware has released a new security advisory: VMSA-2018-0003 – vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities.

This advisory documents the remediation of three important issues: a privilege escalation vulnerability that affects vRealize Operations for Horizon (V4H) and vRealize Operations for Published Applications (V4PA) agents, an out-of-bounds read issue that occurs via Cortado ThinPrint and affects Workstation and Horizon View Client, and a guest access control vulnerability which affects Workstation and Fusion.

Read More

VMSA-2018-0002 Meltdown and Specter

VMware Security Advisory VMSA-2018-0002 – Meltdown and Spectre Vulnerabilities

Google Project Zero released yesterday information about two vulnerabilities with impact to major processors vendors: Meltdown (CVE-2017-5754 – rogue data cache load) and Spectre (CVE-2017-5753 – bounds check bypass & CVE-2017-5715 – branch target injection). Among other organizations, VMware released a security advisory: VMSA-2018-0002 – VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution.

How to patch your vCenter / ESXi infrastructure against speculative execution vulnerabilities (Meltdown and Spectre). Products, versions, patches, order of upgrade, dependencies, warnings. VMware Patches for Spectre

Meltdown and Spectre Overview

Meltdown breaks the isolation between user applications and the operating system, and allows an application to access all system memory (this includes kernel allocated memory). Meltdown affects a range of  Intel processors.

Spectre breaks the memory isolation between different applications, and allows an application to force another application to access arbitrary portions of its memory. Spectre affects a wide range of processors: Intel, AMD, and ARM.

“Both of these vulnerabilities are hardware level vulnerabilities that exist because of a flaw in CPU architecture. They are very serious vulnerabilities because they are operating system and software independent. The long term fix for both of these issues will require that CPU makers change the way their chips work, which means redesigning and releasing new chips.” – Defiant

You can find more information on both vulnerabilities on spectreattack.com. For comprehensive technical details, you can refer to these academic papers: Meltdown and Spectre.

Read More

2017 Review

2017 – A Year in Review

It’s first end of year since I started this blog, so I guess it’s review time 🙂 . I will cover 2017 review in three different areas: I will first check what 2017 meant for this blog, then I will write something on my VMUG activities, and in the end I will go over social media.

2017 Review – CloudHat.eu

I started CloudHat.eu at the beginning of August 2017. Since then, I published 39 articles which attracted close to 5,000 unique visitors.

Most viewed article: Latest vCenter and Latest Chrome = No Love

The articles I had most fun writing: How to Install vSphere HTML5 Web Client Fling and How to Update vSphere HTML5 Web Client Fling

Most visitors received from: blogs.vmware.com

Country with biggest number of visitors: United States of America

Most clicked referral keywords in search engines: vmware vcenter converter standalone 6.2

Most clicked outgoing URL: KB2151945 – Shockwave Flash crashes with vSphere Web Client 6.x

Read More

How to Update vCenter Server Appliance to 6.5 Update 1d

VMware recently released vCenter Server 6.5 Update 1d (Build 7312210). You can read more details about this release in my previous article: “New Release – VMware vCenter Server 6.5 Update 1d”. In another article, I showed how to update vCenter Server Appliance using VAMI (vCenter Server Management Interface). The article covers the update to version 6.5 Update 1b, but there is no change in procedure to go to the latest Update 1d.

In this article I will show a different way to update vCenter Server Appliance. I will update vCSA using the appliance shell. This process is as simple as updating through VAMI, but instead of clicking through the user interface, I will execute few commands in remote console.

Note: If you look for VCSA installation instructions, check this article: How to Install VCSA 6.5 (VMware vCenter Server Appliance).

Read More

New Release – VMware vCenter Server 6.5 Update 1d

VMware released vCenter Server 6.5 Update 1d (Build 7312210) to update few third party packages and to fix plenty of bugs. This release also brings a new icon for vSAN witness appliances.

You can already download the update from my.vmware.com site (login is required).

vCenter Server 6.5 Update 1d

Note: If you look for VCSA installation instructions, check this article: How to Install VCSA 6.5 (VMware vCenter Server Appliance). If you need update instructions check these articles: Update vCSA using VAMI and Update vCSA using Appliance Shell.

Issues resolved in vCenter Server 6.5 Update 1d

In vCenter 6.5 Update 1d, VMware updated multiple packages:

  • Oracle (Sun) JRE 1.8.0_141
  • Spring Framework 4.3.9
  • OpenSSL 1.0.2l
  • Tomcat 8.5.15
  • Apache Struts 2.5.13
  • Eclipse Jetty 9.2.22

Read More

VMware Security Advisory

VMware Security Advisory VMSA-2017-0021

VMware has released a new security advisory: “VMSA-2017-0021 – VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities”.

Among affected products, we find vCenter Server Appliance 6.5, ESXi (5.5, 6.0, and 6.5), Workstation 12.x, and Fusion 8.x.

VMSA-2017-0021 – ESXi, Workstation, and Fusion stack overflow via authenticated VNC session

CVE-2017-4941 – VMware ESXi, Workstation, and Fusion contain a vulnerability that could allow an authenticated VNC session to cause a stack overflow via a specific set of VNC packets. A successful exploitation will result in remote code execution in a virtual machine via the authenticated VNC session. As prerequisites for a successful exploit, VNC must be manually enabled in a virtual machine’s .vmx configuration file and ESXi must be configured to allow VNC traffic through the firewall.

Affected products and versions:

  • ESXi 5.5 and 6.0 (install patches ESXi550-201709101-SG or ESXi600-201711101-SG)
  • Workstation 12.x (upgrade to version 12.5.8)
  • Fusion 8.x (upgrade to version 8.5.9)

Read More

vCenter Converter Standalone 6.2

New Release – VMware vCenter Converter Standalone 6.2

vCenter Converter Standalone is a handy tool used to convert Windows or Linux computers to different types of VMware virtual machines. You can convert physical or virtual machines, and even AWS or Azure instances. VMware released few days ago vCenter Converter Standalone 6.2, a version which supports VMware vSphere 6.5 Update 1.

vCenter Converter Standalone New Features

  • Support for vSphere 6.5 Update 1 endpoints.
  • Support for new guest operating systems: Windows Server 2016 and Ubuntu 16.
  • New configuration option for Linux migrations. You can provide a path for the temporary files of vmware-sysinfo to be extracted and executed.
  • New configuration option to change the default destination provisioning disk type from thick to thin.

You can opt to install the Convertor on a variety of operating systems, ranging from Windows Vista SP2 to Windows 10 and from Windows Server 2008 SP2 to the latest Windows Server 2016.

Read More

VMware Security Advisory

VMware Security Advisory VMSA-2017-0020

VMware has released a new security advisory: “VMSA-2017-0020 – VMware AirWatch Console updates address Broken Access Control vulnerability”.

VMware AirWatch Console has a Broken Access Control vulnerability. Successful exploitation of this issue could result in end-user device details being disclosed to an unauthorized administrator.

Common Vulnerabilities and Exposures project has assigned the identifier CVE-2017-4942 to this issue.

The vulnerability consists of two distinct issues which, together, could allow a tenant to accidentally come into contact with another tenant’s device details. The first issue occurs as the result of a UI issue present under certain conditions, which may lead to the display of an incorrect device’s details. The second issue occurs when the device details are incorrectly displayed to the unauthorized administrator, which results from a missing access control check performed on the request.

AirWatch Console 9.2.2 (released on 5th December) resolved the issue. For more details on this version you can check KB115015625647 (please note you need to login) and the release notes.

For shared SaaS environments, no action is required as all shared SaaS environments have been patched for this vulnerability. For dedicated SaaS and On-Premises, patches have been made available for all AirWatch Console versions 9.0.1 and up.

VMware has also released a workaround for customers who are unable to immediately apply the patch. You can check it in KB115015676547.

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

Install Active Directory

How to Install Active Directory on Windows Server 2012 R2

There may be cases when you need to install Active Directory in your home lab. As an example, I can specify the installation of VMware vRealize Automation, for which you require a domain. In this article I will show how to install Active Directory on Windows Server 2012 R2. I chose Windows Server 2012 R2 over the newest Windows Server 2016 because in my experience 2016 requires more hardware resources compared with 2012, hardware resources which are scarce in a lab environment.

As a prerequisite for this installation, you need to prepare in advance a Windows Server 2012 R2 Standard Edition virtual machine preferable with all the normal goodies (latest hardware version, latest VMware Tools, vmxnet3 network adapter, paravirtual SCSI adapter). Install the latest security patches. You do not need the installation kit for Windows Server 2012 R2.

Read More

How to Update ESXi 6.5 with Command Line

In a previous post I wrote about how to easily update ESXi 6.5 using Update Manager. This time I will show another method of updating ESXi, more specific I will update ESXi 6.5 with the command line tool (esxcli). This method works either the ESXi server is standalone or added to a vCenter Server (I will use no component of vCenter Server).

When is this method better than using the Update Manager? The simplest use case is when you have no vCenter Server (because Update Manager is a component of vCenter Server). In other cases, you may be more familiar running scripts than clicking into a user interface 🙂

As a prerequisite, I placed the ESXi server in maintenance mode. Let’s start!

Read More