In response to a VMware user group security survey conducted earlier this year, VMware said it would consider certain initiatives aimed at increasing awareness of security updates to its customers and provide them with additional details by way of the company's VMware Security Advisories (VMSAs). Last week, the company made good on those promises.
VMware released a host of new security patches that address multiple security vulnerabilities impacting a range of the company's virtualization products, including vCenter Server, vCenter Server Appliance, vSphere Update Manager, ESX, and ESXi. Some of the identified flaws can be used to bypass security restrictions to elevate privileges, execute malicious code, or overwrite important files. Other vulnerabilities could lead to DoS attacks on affected products.
[ Also on InfoWorld: Pivotal adds mobile platform development with Xtreme Labs acquisition | Cloud storage provider Nirvanix is closing its doors | Track the latest trends in virtualization in InfoWorld's Virtualization Report newsletter ]
One of those vulnerabilities is a bug in vCenter Server 5.0 and 5.1 that could enable an attacker to bypass the need for valid credentials under some circumstances. In order for the vulnerability to be exploited, the affected product must be deployed in an environment that uses Active Directory with anonymous LDAP binding enabled.
This type of setup doesn't properly handle log-in credentials. The VMware advisory warns, "In this environment, authenticating to vCenter Server with a valid user name and a blank password may be successful even if a non-blank password is required for the account."
The workaround is to discontinue the use of AD anonymous LDAP binding if it is enabled in your environment.