VMware Security Advisory

VMSA-2020-0009 – VMware vRealize Operations Manager Vulnerability

Updated on 16 May 2020 with fixed versions of vRealize Operations.

VMware has released a new security advisory VMSA-2020-0009: VMware vRealize Operations Manager addresses Authentication Bypass and Directory Traversal vulnerabilities.

Two vulnerabilities were disclosed in Salt, an open source project by SaltStack, which is used by VMware vRealize Operations Manager. This advisory documents the remediation of one critical and one important issues. The Application Remote Collector (ARC) introduced with vRealize Operations Manager 7.5 utilizes Salt and as such presents two vulnerabilities, one authentication bypass and one directory traversal.

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2020-11651 to the authentication bypass vulnerability and CVE-2020-11652 to the directory traversal.

A malicious actor with network access to port 4505 or 4506 on the ARC may take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent to. For the second vulnerability, a malicious actor with network access to port 4505 or 4506 on the ARC may access the entirety of the ARC filesystem.

Read More
VMware vCenter Server 6.7 Update 3f

VMware vCenter Server 6.7 Update 3f

VMware released a new vCenter Server version: 6.7 Update 3f, 6.7.0.43000, build 15976714. In this article I will cover the resolved issues and I will show how easy is to update from a previous version of vCenter Server 6.7 to VMware vCenter Server 6.7 Update 3f.

In case you are looking for a plain installation of vCenter Server 6.7, you can check my other article: How to Install VCSA 6.7 (VMware vCenter Server Appliance).

Resolved Issues

This release of vCenter Server 6.7 Update 3f delivers the following patch:

  • Security Patch for VMware vCenter Server 6.7 Update 3f (VMware-vCenter-Server-Appliance-6.7.0.43000-15976714-patch-FP.iso)

VMware vCenter Server 6.7 Update 3f resolves a critical security issue documented in security advisory VMSA-2020-0006: vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), may not correctly implement access controls. A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.

Read More
VMware Security Advisory

VMware ESXi and Horizon DaaS Security Updates – VMSA-2019-0022

VMware has released a new security advisory VMSA-2019-0022 (VMware ESXi and Horizon DaaS updates address OpenSLP remote code execution vulnerability). Patches and workarounds are available to address this vulnerability in affected VMware products.

This advisory documents the remediation of one issue, rated with a severity of critical. VMware ESXi and Horizon DaaS use an OpenSLP version which has a heap overwrite issue. Successful exploitation of this issue may allow attackers with network access to port 427 on an ESXI host or on any Horizon DaaS management appliance to overwrite the heap of the OpenSLP service resulting in remote code execution.

The identifier CVE-2019-5544 was assigned to this vulnerability.

Read More
VMware Security Advisory

VMware ESXi, Workstation, and Fusion Security Updates – VMSA-2019-0019

VMware has released a new security advisory VMSA-2019-0019 (VMware ESXi, Workstation, and Fusion updates address a denial-of-service vulnerability).

This advisory documents the remediation of one issue, rated with a severity of moderate. VMware ESXi, Workstation and Fusion contain a denial-of-service vulnerability in the shader functionality. Successful exploitation of this issue may allow attackers with normal user privileges to create a denial-of-service condition on their own VMs.

Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled. By default, this functionality is not enabled on ESXi and is enabled on Workstation and Fusion.

The identifier CVE-2019-5536 was assigned to this vulnerability.

Affected products and resolutions:

  • ESXi 6.7 – apply patch ESXi670-201908101-SG
  • ESXi 6.5 – apply patch ESXi650-201910401-SG
  • Workstation 15.x – update to 15.5.0
  • Fusion 11.x – update to 11.5.0

The workaround for this issue involves disabling the 3D-acceleration feature.

Disable 3D-acceleration on ESXi

  • With Host Client or vCenter, go to the individual VM > Edit Settings > Virtual hardware > Video card.
  • If the “3D Graphics” is checked then 3D-acceleration feature is enabled.

Disable 3D-acceleration on Workstation

  • Select virtual machine and select VM > Settings.
  • On the Hardware tab, select Display.
  • If the “Accelerate 3D graphics” is checked then 3D-acceleration feature is enabled.

Disable 3D-acceleration on Fusion

  • From the VMware Fusion menu bar, select Window > Virtual Machine Library.
  • Select a virtual machine and click Settings.
  • In the Settings Window > select Display.
  • If the “Accelerate 3D graphics” is checked then 3D-acceleration feature is enabled.

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

VMware vCenter Server Appliance Security Update - Backup and Restore Vulnerability

VMware vCenter Server Appliance – Backup and Restore Vulnerability

VMware has released a new security advisory VMSA-2019-0018 (VMware vCenter Server Appliance updates address sensitive information disclosure vulnerability in backup and restore functions).

This advisory documents the remediation of one issue, rated with a severity of moderate. Sensitive information disclosure vulnerabilities resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance may allow a malicious actor to intercept sensitive data in transit over FTPS, HTTPS, or SCP.

A man-in-the-middle positioned between vCenter Server Appliance and a backup target may be able to intercept data in transit during File-Based Backup and Restore operations.

The identifiers CVE-2019-5537 (data interception over FTPS and HTTPS) and CVE-2019-5538 (data interception over SCP) were assigned to this vulnerability.

Affected products and resolutions:

  • vCenter Server Appliance 6.7 – update to 6.7 Update 3a
  • vCenter Server Appliance 6.5 – update to 6.5 Update 3d

Remediation of CVE-2019-5537 and CVE-2019-5538 is not enabled by default. After upgrading vCenter Server Appliance, follow the steps in KB75156 (Enabling secure backup and restore in the vCenter Server Appliance) to enforce strict certificate validation.

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

VMware Security Advisory

VMware ESXi, Workstation, Fusion and vCloud Director Security Updates

VMware has released two new security advisories VMSA-2019-0004 (VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability) and VMSA-2019-0005 (VMware ESXi, Workstation and Fusion updates address multiple security issues).

The advisories document the remediation of these critical issues:

  • VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals. Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session.
  • VMware ESXi, Workstation and Fusion contain an out-of-bounds read/write vulnerability and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface). Exploitation of these issues requires an attacker to have access to a virtual machine with a virtual USB controller present. These issues may allow a guest to execute code on the host.
  • VMware Workstation and Fusion contain an out-of-bounds write vulnerability in the e1000 virtual network adapter. This issue may allow a guest to execute code on the host.
  • VMware Workstation and Fusion updates address an out-of-bounds write vulnerability in the e1000 and e1000e virtual network adapters. Exploitation of this issue may lead to code execution on the host from the guest but it is more likely to result in a denial of service of the guest.
  • VMware Fusion contains a security vulnerability due to certain unauthenticated APIs accessible through a web socket. An attacker may exploit this issue by tricking the host user to execute a JavaScript to perform unauthorized functions on the guest machine where VMware Tools is installed. This may further be exploited to execute commands on the guest machines.
Read More
VMSA-2018-0024

VMSA-2018-0024 – AirWatch Console Vulnerability

VMware has released a new security advisory VMSA-2018-0024: VMware Workspace ONE Unified Endpoint Management Console (AirWatch Console) update resolves SAML authentication bypass vulnerability.

This advisory documents the remediation of one critical issue: VMware Workspace ONE Unified Endpoint Management Console (AirWatch Console) contains a SAML authentication bypass vulnerability which can be leveraged during device enrollment. This vulnerability may allow for a malicious actor to impersonate an authorized SAML session if certificate-based authentication is enabled. If certificate-based authentication is not enabled the outcome of exploitation is limited to an information disclosure (Important Severity).

The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2018-6979 to VMSA-2018-0019 issue.

VMSA-2018-0024 – Affected Products and Resolutions

AirWatch Console 9.7.x – update to version 9.7.0.3 or above
AirWatch Console 9.6.x – update to version 9.6.0.7 or above
AirWatch Console 9.5.x – update to version 9.5.0.16 or above
AirWatch Console 9.4.x – update to version 9.4.0.22 or above
AirWatch Console 9.3.x – update to version 9.3.0.25 or above
AirWatch Console 9.2.x – update to version 9.2.3.27 or above
AirWatch Console 9.1.x – update to version 9.1.5.6 or above

As per VMware KB, if patching your environment is not feasible in a timely manner, you can take mitigation steps by disabling SAML authentication for enrollment located under System > Enterprise Integration > Directory Services.

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

VMSA-2018-0003

VMSA-2018-0019 – VMware Horizon Vulnerability

VMware has released a new security advisory VMSA-2018-0019: Horizon 6, 7, and Horizon Client for Windows updates address an out-of-bounds read vulnerability.

This advisory documents the remediation of one important issue: Horizon 6, 7, and Horizon Client for Windows contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privileged process running on a system where Horizon Connection Server, Horizon Agent or Horizon Client are installed.

The vulnerability doesn’t apply to Horizon 6, 7 Agents installed on Linux systems or Horizon Clients installed on non-Windows systems.

The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2018-6970 to VMSA-2018-0019 issue.

VMSA-2018-0019 – Affected Products and Resolutions

Horizon version 7.x running on Windows – update to version 7.5.1 (release date 19 July 2018, for more details check the Release Notes)

Horizon version 6.x running on Windows – update to version 6.2.7 (release date 7 August 2018, for more details check the Release Notes)

Horizon Client for Windows version 4.x and earlier – update to version 4.8.1 (release date 7 August 2018, for more details check the Release Notes)

The vulnerability doesn’t apply to Horizon 6, 7 Agents installed on Linux systems or Horizon Clients installed on non-Windows systems.

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

VMSA-2018-0003

VMSA-2018-0014 – VMware Horizon Client Privilege Escalation Vulnerability

VMware has released a new security advisory: : VMware Horizon Client update addresses a privilege escalation vulnerability.

This advisory documents the remediation of one important issue: VMware Horizon Client contains a local privilege escalation vulnerability due to insecure usage of SUID binary. Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on a Linux machine where Horizon Client is installed.

The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2018-6964 to VMSA-2018-0014 issue.

All 4.x and prior versions of Horizon Client are affected by this vulnerability. VMware recommends update to version 4.8.0 (released 29 May 2018).

Read More

VMware Patches for Spectre

VMSA-2018-0012 – Speculative Store Bypass – SpectreNG

Not long after the first release of Meltdown and Spectre vulnerabilities, Google and Microsoft researchers independently reported two other variants of the modern processors bugs: a new subclass of speculative execution side channel vulnerabilities known as Speculative Store Bypass (SSB, previously known as SpectreNG – variant 4) has been assigned CVE-2018-3639; another Meltdown variation, rogue system register read (also called variant 3a) has been assigned CVE-2018-3640.

Among affected processors we find a wide range of chipsets: Intel and AMD x86, IBM POWER 8 and 9, and ARM CPUs.

Catalin Cimpanu wrote for Bleeping Computer:

Variant 3a is a variation of the Meltdown flaw, while Variant 4 is a new Spectre-like attack. The most important of these two is Variant 4. Both bugs occur for the same reason – speculative execution – a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data.

The difference is that Variant 4 affects a different part of the speculative execution process —the data inside the “store buffer” inside a CPU’s cache.

Read More