VMware Security Advisory

VMware Security Advisory – VMSA-2018-0001 – vSphere Data Protection

I know you are all busy patching Meltdown and Spectre, but let’s not forget about a security advisory that VMware released so early this year, on 2nd January 2018: VMSA-2018-0001 – vSphere Data Protection (VDP) updates address multiple security issues.

This advisory documents the remediation of three important issues: a VDP authentication bypass vulnerability, VDP arbitrary file upload vulnerability, and a VDP path traversal vulnerability.

Same day, VMware released a new vSphere Data Protection version, 6.1.6, which among other goodies fixes all the vulnerabilities from the current advisory.

VMSA-2018-0001 – vSphere Data Protection Vulnerabilities

CVE-2017-15548 – A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.

CVE-2017-15549 – A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.

CVE-2017-15550 – A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application.

All three vulnerabilities affect same VDP versions, and the solution is the same, one patch per version covering everything:

  • vSphere Data Protection 5.x – upgrade to 6.0.7
  • vSphere Data Protection 6.0.x – update to 6.0.7
  • vSphere Data Protection 6.1.x – update to 6.1.6

vSphere Data Protection 6.1.6

vSphere Data Protection 6.1.6 is a release which fixes few bugs:

  • Add Q2 2017 v9 OS Rollup to vSphere Data Protection 6.1.6.
  • When you upgrade vSphere Data Protection from 6.1.4 to 6.1.5, if the mcserver.xml file is encoded, MCS logins fail.
  • Disable TLS 1.0 communication with vSphere Data Protection webapp.
  • Fix Avamar vulnerability (PSRC-4867), which bypasses SecurityService authentication.
  • During vSphere Data Protection upgrade to 6.1.5, the vSphere Data Protection configuration utility disconnects multiple times

You can download VDP 6.1.6 from MyVMware portal (credentials required).

You can also check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

Constantin Ghioc

I usually play with vSphere API, Ansible, vRealize Automation, vRealize Orchestrator, and different AWS tools. In my other life I’m a husband and a father, an amateur photographer and a Go enthusiast.

Leave a Reply