VMSA-2018-0024

VMSA-2018-0024 – AirWatch Console Vulnerability

VMware has released a new security advisory VMSA-2018-0024: VMware Workspace ONE Unified Endpoint Management Console (AirWatch Console) update resolves SAML authentication bypass vulnerability.

This advisory documents the remediation of one critical issue: VMware Workspace ONE Unified Endpoint Management Console (AirWatch Console) contains a SAML authentication bypass vulnerability which can be leveraged during device enrollment. This vulnerability may allow for a malicious actor to impersonate an authorized SAML session if certificate-based authentication is enabled. If certificate-based authentication is not enabled the outcome of exploitation is limited to an information disclosure (Important Severity).

The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2018-6979 to VMSA-2018-0019 issue.

VMSA-2018-0024 – Affected Products and Resolutions

AirWatch Console 9.7.x – update to version 9.7.0.3 or above
AirWatch Console 9.6.x – update to version 9.6.0.7 or above
AirWatch Console 9.5.x – update to version 9.5.0.16 or above
AirWatch Console 9.4.x – update to version 9.4.0.22 or above
AirWatch Console 9.3.x – update to version 9.3.0.25 or above
AirWatch Console 9.2.x – update to version 9.2.3.27 or above
AirWatch Console 9.1.x – update to version 9.1.5.6 or above

As per VMware KB, if patching your environment is not feasible in a timely manner, you can take mitigation steps by disabling SAML authentication for enrollment located under System > Enterprise Integration > Directory Services.

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

VMSA-2018-0003

VMSA-2018-0019 – VMware Horizon Vulnerability

VMware has released a new security advisory VMSA-2018-0019: Horizon 6, 7, and Horizon Client for Windows updates address an out-of-bounds read vulnerability.

This advisory documents the remediation of one important issue: Horizon 6, 7, and Horizon Client for Windows contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privileged process running on a system where Horizon Connection Server, Horizon Agent or Horizon Client are installed.

The vulnerability doesn’t apply to Horizon 6, 7 Agents installed on Linux systems or Horizon Clients installed on non-Windows systems.

The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2018-6970 to VMSA-2018-0019 issue.

VMSA-2018-0019 – Affected Products and Resolutions

Horizon version 7.x running on Windows – update to version 7.5.1 (release date 19 July 2018, for more details check the Release Notes)

Horizon version 6.x running on Windows – update to version 6.2.7 (release date 7 August 2018, for more details check the Release Notes)

Horizon Client for Windows version 4.x and earlier – update to version 4.8.1 (release date 7 August 2018, for more details check the Release Notes)

The vulnerability doesn’t apply to Horizon 6, 7 Agents installed on Linux systems or Horizon Clients installed on non-Windows systems.

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

VMSA-2018-0003

VMSA-2018-0014 – VMware Horizon Client Privilege Escalation Vulnerability

VMware has released a new security advisory: : VMware Horizon Client update addresses a privilege escalation vulnerability.

This advisory documents the remediation of one important issue: VMware Horizon Client contains a local privilege escalation vulnerability due to insecure usage of SUID binary. Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on a Linux machine where Horizon Client is installed.

The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2018-6964 to VMSA-2018-0014 issue.

All 4.x and prior versions of Horizon Client are affected by this vulnerability. VMware recommends update to version 4.8.0 (released 29 May 2018).

Read More

VMware Patches for Spectre

VMSA-2018-0012 – Speculative Store Bypass – SpectreNG

Not long after the first release of Meltdown and Spectre vulnerabilities, Google and Microsoft researchers independently reported two other variants of the modern processors bugs: a new subclass of speculative execution side channel vulnerabilities known as Speculative Store Bypass (SSB, previously known as SpectreNG – variant 4) has been assigned CVE-2018-3639; another Meltdown variation, rogue system register read (also called variant 3a) has been assigned CVE-2018-3640.

Among affected processors we find a wide range of chipsets: Intel and AMD x86, IBM POWER 8 and 9, and ARM CPUs.

Catalin Cimpanu wrote for Bleeping Computer:

Variant 3a is a variation of the Meltdown flaw, while Variant 4 is a new Spectre-like attack. The most important of these two is Variant 4. Both bugs occur for the same reason – speculative execution – a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data.

The difference is that Variant 4 affects a different part of the speculative execution process —the data inside the “store buffer” inside a CPU’s cache.

Read More

VMware Security Advisory

VMware Security Advisory – VMSA-2018-0010 – Horizon DaaS Update

VMware has released a new security advisory: VMSA-2018-0010: Horizon DaaS update addresses a broken authentication issue.

This advisory documents the remediation of one moderate issue: Horizon DaaS contains a broken authentication vulnerability that may allow an attacker to bypass two-factor authentication.

To be able to exploit this vulnerability, a potential attacker must have a legitimate account on Horizon DaaS.

The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2018-6960 to this issue.

All 7.x versions of Horizon DaaS are affected by this vulnerability. VMware recommends update to version 8.0.0.

Read More

VMware Security Advisory

VMware Security Advisory – VMSA-2018-0009 – vRealize Automation Vulnerabilities

VMware has released a new security advisory: VMSA-2018-0009 – vRealize Automation updates address multiple security issues.

This advisory documents the remediation of two issues: one important (DOM-based cross-site scripting vulnerability which may lead to the compromise of the vRA user’s workstation) and one moderate (Missing renewal of session tokens vulnerability which may lead to the hijacking of a valid vRA user’s session).

VMSA-2018-0009 – DOM-based Cross-site Scripting (XSS) Vulnerability

CVE-2018-6958 – vRealize Automation contains an important vulnerability that may allow for a DOM-based cross-site scripting (XSS) attack. Exploitation of this issue may lead to the compromise of the vRA user’s workstation.

Read More

VMware Released ESXi Patches for Spectre

VMware released patches against Spectre-2 vulnerability. In order to protect against branch target injection vulnerability (also known as Spectre-2), you need to patch the full stack, ranging from vCenter, down to ESXi and the operating system. Don’t forget to also update the firmware for your hardware.

For vCenter, VMware released few days ago the corresponding patches:

Going down to ESXi level, VMware released these patches:

  • ESXi 6.5 – ESXi650-201803401-BG and ESXi650-201803402-BG
  • ESXi 6.0 – ESXi600-201803401-BG and ESXi600-201803402-BG
  • ESXi 5.5 – ESXi550-201803401-BG and ESXi550-201803402-BG

In this article I will focus on ESXi 6.5 patches.

ESXi650-201803401-BG updates the esx-base, esx-tboot, vsan and vsanhealth VIBs. ESXi650-201803402-BG updates the cpu-microcode VIB. Both patches provide parts of the hypervisor-assisted guest mitigation of CVE-2017-5715 for guest operating systems (as described in VMware Security Advisory VMSA-2018-0004.3).

Read More

New Security Patch – vCenter Server 6.5 U1g

VMware released today a new security patch, vCenter Server 6.5 U1g, build number 8024368. This release contains few VMware software fixes, security fixes, and third-party product fixes. The new patch can already be downloaded from My VMware portal (VMware-VCSA-all-6.5.0-8024368.iso, 3.36 GB). Patch is also available through standard online repository.

Updated packages in vCSA (Photon OS):

vCenter Server 6.5 U1g provides part of the hypervisor-assisted guest mitigation of CVE-2017-5715 for guest operating systems (Spectre-2 vulnerability). For more details on this mitigation, see VMware Security Advisory VMSA-2018-0004.3.

The patch also fixes an issue where in some cases the inclusion of an ESXi host into an empty Enhanced vMotion Compatibility (EVC) cluster would fail even though the host met the requirements.

Read More

VMware Security Advisory

VMware Security Advisory – VMSA-2018-0008 – Workstation and Fusion Vulnerability

VMware has released a new security advisory: VMSA-2018-0008 – Workstation and Fusion updates address a denial-of-service vulnerability.

This advisory documents the remediation of one issue, rated with a severity of Important. VMware Workstation and Fusion contain a denial-of-service vulnerability which can be triggered by opening a large number of VNC sessions. A successfully exploitation of the vulnerability will result in a virtual machine shutdown.

The identifier CVE-2018-6957 was assigned to this vulnerability. The vulnerability was discovered by a Cisco Talos researcher.

Read More

New Security Patch – vCenter Server 6.5 U1f

VMware released today a new security patch, vCenter Server 6.5 U1f, build number 7801515. This release patches the vCSA operating system (Photon OS) mainly against two vulnerabilities: bounds-check bypass (Spectre-1, CVE-2017-5753) and rogue data cache load issues (Meltdown, CVE-2017-5754). As of now, there is still no patch for branch target injection vulnerability (Spectre-2, CVE-2017-5715).

The new patch can already be downloaded from My VMware portal (VMware-VCSA-all-6.5.0-7801515.iso, 3607.6 MB), but it’s not yet available on the online repository for update using management GUI or CLI. Update 16 February 2018: the patch is available on the online repository, see below for details.

Updated packages:

  • linux 4.4.110-2
  • libgcrypt 1.7.6-3
  • c-ares 1.12.0-2
  • ncurses 6.0-8
  • libtasn1 4.12-1
  • wget 1.18-3
  • procmail 3.22-4
  • rsync 3.1.2-4
  • apr 1.5.2-7

Read More