Tag: vulnerability

Security Advisory

VMSA-2021-0014 – VMware ESXi Vulnerabilities

Constantin Ghioc Leave a comment

VMware has released a new security advisory VMSA-2021-0014: VMware ESXi updates address authentication and denial of service vulnerabilities (CVE-2021-21994, CVE-2021-21995).

Multiple vulnerabilities in VMware ESXi were privately reported to VMware. Updates and workarounds are available to remediate these vulnerabilities in affected VMware products. This advisory documents the remediation of one important issue (CVSSv3 score 7) and one moderate issue (CVSSv3 score 5.3).

The Common Vulnerabilities and Exposures project has assigned the identifiers CVE-2021-21994 to the ESXi SFCB improper authentication vulnerability and CVE-2021-21995 to the ESXi OpenSLP denial-of-service vulnerability.

VMSA-2021-0014 – Description and Workarounds

A malicious actor with network access to port 5989 on ESXi may exploit the SFCB improper authentication vulnerability to bypass SFCB authentication by sending a specially crafted request. SFCB service is disabled by default. The service starts when you install a third-party CIM VIB, for example, when you run the esxcli software vib install -n VIBname command. You can check status and disable SFCB service using:

Read More
VMSA-2018-0024

VMSA-2018-0024 – AirWatch Console Vulnerability

Constantin Ghioc Leave a comment

VMware has released a new security advisory VMSA-2018-0024: VMware Workspace ONE Unified Endpoint Management Console (AirWatch Console) update resolves SAML authentication bypass vulnerability.

This advisory documents the remediation of one critical issue: VMware Workspace ONE Unified Endpoint Management Console (AirWatch Console) contains a SAML authentication bypass vulnerability which can be leveraged during device enrollment. This vulnerability may allow for a malicious actor to impersonate an authorized SAML session if certificate-based authentication is enabled. If certificate-based authentication is not enabled the outcome of exploitation is limited to an information disclosure (Important Severity).

The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2018-6979 to VMSA-2018-0019 issue.

VMSA-2018-0024 – Affected Products and Resolutions

AirWatch Console 9.7.x – update to version 9.7.0.3 or above
AirWatch Console 9.6.x – update to version 9.6.0.7 or above
AirWatch Console 9.5.x – update to version 9.5.0.16 or above
AirWatch Console 9.4.x – update to version 9.4.0.22 or above
AirWatch Console 9.3.x – update to version 9.3.0.25 or above
AirWatch Console 9.2.x – update to version 9.2.3.27 or above
AirWatch Console 9.1.x – update to version 9.1.5.6 or above

As per VMware KB, if patching your environment is not feasible in a timely manner, you can take mitigation steps by disabling SAML authentication for enrollment located under System > Enterprise Integration > Directory Services.

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

VMware Patches for Spectre

VMSA-2018-0012 – Speculative Store Bypass – SpectreNG

Constantin Ghioc Leave a comment

Not long after the first release of Meltdown and Spectre vulnerabilities, Google and Microsoft researchers independently reported two other variants of the modern processors bugs: a new subclass of speculative execution side channel vulnerabilities known as Speculative Store Bypass (SSB, previously known as SpectreNG – variant 4) has been assigned CVE-2018-3639; another Meltdown variation, rogue system register read (also called variant 3a) has been assigned CVE-2018-3640.

Among affected processors we find a wide range of chipsets: Intel and AMD x86, IBM POWER 8 and 9, and ARM CPUs.

Catalin Cimpanu wrote for Bleeping Computer:

Variant 3a is a variation of the Meltdown flaw, while Variant 4 is a new Spectre-like attack. The most important of these two is Variant 4. Both bugs occur for the same reason – speculative execution – a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data.

The difference is that Variant 4 affects a different part of the speculative execution process —the data inside the “store buffer” inside a CPU’s cache.

Read More