VMware Patches Critical Vulnerabilities in v Sphere Data Protection
VMware fixed two critical weaknesses in its vSphere Info Protection solution this week that could have allowed an attacker to perform commands on the virtual appliance, among other results.
The Department of Homeland Security’s CERT encouraged users and admins on Wednesday to apply the improvements.
vSphere Data Protection is a backup solution use with vSphere environments and is usually run in tandem with VMware’s vCenter Server and vSphere web Client.
According to a security advisory published Tuesday, the product suffers from a Java deserialization concern that could let a remote attacker execute instructions. Tim Roberts, Arthur Chilipweli, and Kelly Correll, security consultants at NTT Protection, uncovered the vulnerability, in line with the advisory.
VMware also aware of the second susceptibility in VDP pertaining to how it stores license. According to the admonitory, VDP stores credentials from vCenter Server using invertible encryption, something that could allow plaintext credentials be obtained.
While VMware did not enter into detail on the vulnerability, using reversible security has one primary risk, if the key is ever compromised, the information can be compromised as well. In situations where invertible encryption is supported the related key needs to be stored securely, shielded from corruption, retrieved – and protected – during use, and periodically changed.
Traditionally using reversible security is not permissible for the needs of the software outweigh the requirement to protect information.
Marc Strobel, a security consultant with HvS-Consulting, based in Germany, uncovered the vulnerability (CVE-2017-4917). Strobel uncovered a similar critical issue in VDP in December. The solution was found to contain a private SSH key with a known password that was constructed to permit key-based authentication. If perhaps exploited the issue could have let an illegal remote attacker sign into the appliance with root privileges.
The company is encouraging users operating versions 6. 1. x, 6. 0. x, 5. 8. x, and 5. 5. x to upgrade to the most recent version, 6. 1. 4, and 6. 0. 5 respectively, to address both the deserialization issue and the invertible encryption issue.
It’s the first time that VDP has received an upgrade since that December SSH key issue, but the tenth time this year VMware has patched weaknesses in its products. The organization last pushed patches 3 weeks ago for the Workstation software. Those weaknesses would have led to the escalation of liberties to root or perhaps the causing of a denial of service vulnerability.