VMware warns of multiple ESX, vCenter, and vSphere vulnerabilities

Flaws could lead to authentication bypass, system crashes, or denial-of-service attacks

In response to a VMware user group security survey conducted earlier this year, VMware said it would consider certain initiatives aimed at increasing awareness of security updates to its customers and provide them with additional details by way of the company's VMware Security Advisories (VMSAs). Last week, the company made good on those promises.

VMware released a host of new security patches that address multiple security vulnerabilities impacting a range of the company's virtualization products, including vCenter Server, vCenter Server Appliance, vSphere Update Manager, ESX, and ESXi. Some of the identified flaws can be used to bypass security restrictions to elevate privileges, execute malicious code, or overwrite important files. Other vulnerabilities could lead to DoS attacks on affected products.

[ Also on InfoWorld: Pivotal adds mobile platform development with Xtreme Labs acquisition | Cloud storage provider Nirvanix is closing its doors | Track the latest trends in virtualization in InfoWorld's Virtualization Report newsletter ]

One of those vulnerabilities is a bug in vCenter Server 5.0 and 5.1 that could enable an attacker to bypass the need for valid credentials under some circumstances. In order for the vulnerability to be exploited, the affected product must be deployed in an environment that uses Active Directory with anonymous LDAP binding enabled.

This type of setup doesn't properly handle log-in credentials. The VMware advisory warns, "In this environment, authenticating to vCenter Server with a valid user name and a blank password may be successful even if a non-blank password is required for the account."

The workaround is to discontinue the use of AD anonymous LDAP binding if it is enabled in your environment.

Organizations running version 5.1 of VMware's vCenter Server Appliance (vCSA) on Linux should be aware of two other sets of vulnerabilities. The first is a remote code execution flaw that enables an attacker with stolen credentials to run existing files as root. The second vulnerability is found within the Virtual Appliance Management Interface (VAMI), where an authenticated remote attacker is allowed to upload files to an arbitrary location thereby creating new files or overwriting existing files. According to the VMware advisory, replacing certain files could result in a DoS condition.

Certain versions of VMware's ESX and ESXi hypervisors (4.0, 4.1 and 5.0) are also affected. According to VMware, there is a flaw in the hostd-vmdb that could allow an attacker to cause a DoS condition. In order to exploit this vulnerability, an attacker would need to intercept and modify the management traffic.

The advisory also identified a session fixation vulnerability in the vSphere Web Client Server through which an attacker could gain elevated privileges within the environment. However, exploiting this flaw may not prove easy as it requires some knowledge of the target user's session. According to VMware, an attacker would have to know a valid session ID of an already authenticated user.

In either instance, VMware said users can reduce the likelihood of these vulnerabilities from causing a problem by running vSphere components in an isolated management network to ensure that traffic does not get intercepted.

VMware also updated a number of third-party libraries, such as OpenSSL, across several of its product lines, including vCenter Server, ESX, and ESXi in order to resolve multiple security issues.

"These recent VMware patches underscore the critical nature of management in virtual infrastructure," said Eric Chiu, president and cofounder of HyTrust. "Without secure management, bad things can happen -- denial of service, breaches and data center disasters."

In some ways, virtualization has given some users a false sense of security. But that shouldn't be the case. As virtualization and cloud computing become the new top-level OS within the data center, the hypervisor is becoming a more attractive target for breaches and attacks.

Chiu went on to say, "It's critical to have comprehensive security for virtual infrastructure management to enforce fine-grain access controls over every action, including the NSA's 'two-man' rule requirement as well as role-based monitoring to detect potential threats in the environment."

It's also important to remember that in a physical environment, hackers have to concentrate on hacking individual servers or individual applications to cause chaos. But in a virtualized environment, a hacker can sometimes get away with entry through a single point and gain access to everything.

If VMware releases a patch or an update marked as "critical," don't blink -- take the security warning seriously and figure out how to best implement the fix. VMware customers shouldn't take any chances with their virtualized infrastructures. When VMware security advisories hit your inbox, don't skip over them; instead, read them and react accordingly.

This article, "VMware security advisories warn of multiple ESX, vCenter, and vSphere vulnerabilities," was originally published at InfoWorld.com. Follow the latest developments in virtualization and cloud computing at InfoWorld.com.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform