Virtualization Technology News and Information
VMware warns of multiple ESX, vCenter, and vSphere vulnerabilities

In response to a VMware user group security survey conducted earlier this year, VMware said it would consider certain initiatives aimed at increasing awareness of security updates to its customers and provide them with additional details by way of the company's VMware Security Advisories (VMSAs). Last week, the company made good on those promises.

VMware released a host of new security patches that address multiple security vulnerabilities impacting a range of the company's virtualization products, including vCenter Server, vCenter Server Appliance, vSphere Update Manager, ESX, and ESXi. Some of the identified flaws can be used to bypass security restrictions to elevate privileges, execute malicious code, or overwrite important files. Other vulnerabilities could lead to DoS attacks on affected products.

One of those vulnerabilities is a bug in vCenter Server 5.0 and 5.1 that could enable an attacker to bypass the need for valid credentials under some circumstances. In order for the vulnerability to be exploited, the affected product must be deployed in an environment that uses Active Directory with anonymous LDAP binding enabled.

This type of setup doesn't properly handle log-in credentials. The VMware advisory warns, "In this environment, authenticating to vCenter Server with a valid user name and a blank password may be successful even if a non-blank password is required for the account."

The workaround is to discontinue the use of AD anonymous LDAP binding if it is enabled in your environment.


Read the entire InfoWorld Virtualization Report article.


Published Tuesday, October 22, 2013 7:30 PM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2013>