Virtualization Technology News and Information
Patch Now! Don't Let Your VMware ESXi or vCenter Fall Prey to Remote Code Execution or DoS Exploits


Patching Windows operating systems comes as second nature to Windows administrators. But what about virtualization admins and their VMware environments? Yesterday, October 1, 2015, VMware put out a security advisory that should grab your attention.

VMware is urging all users to install the latest security patches found in VMSA-2015-0007 for VMware vCenter Server and ESXi to address critical security issues that involve vulnerabilities that can allow remote-code execution and denial-of-service.

The first issue is a remote-code execution problem found within VMware vCenter where the exploit could provide an unauthenticated remote attacker the ability to connect to the JMX/RMI service and execute arbitrary code on the vCenter server (versions 5.0, 5.1, 5.5 and 6.0). An outsider who first discovered this vulnerability, Doug Mcleod of 7 Elements, said the vulnerability allowed for system level access to virtual machine host servers, which could result in a full compromise of the environment.

"The JMX service was found to be configured insecurely as it does not require authentication, allowing a user to connect and interact with the service," said Mcleod. "The JMX service allows users to call the '' function, which permits the loading of an MBean from a remote URL. An attacker can set up their remote Web Service to host an MLet (text file) that points to a malicious JAR file. When the JMX service registers the MLet file, the agent will initiate the URL to the remote JAR and execute the methods leading to code execution."

The issue was first reported by Mcleod on February 27th, 2015 and can now be publicly disclosed with VMware providing fixes in both the latest version of vCenter 6.0 update 1 and updates to all previously affected versions.

In the same advisory, VMware tells users that ESXi versions 5.0, 5.1 and 5.5 were also affected by a remote code execution bug. VMware stated, "VMware ESXi contains a double free flaw in OpenSLP's SLPDProcessMessage() function. Exploitation of this issue may allow an unauthenticated attacker to execute code remotely on the ESXi host."

ESXi 6.0 is not affected.

This exploit was first brought to VMware's attention by Qinghao Tang of Chinese security firm QIHU 360.

A second bug was also identified in VMware vCenter. This one was reported by researchers at Google who found that an attacker could create a denial-of-service condition by sending the server a maliciously crafted message. VMware's explanation for this exploit was "VMware vCenter Server does not properly sanitize long heartbeat messages. Exploitation of this issue may allow an unauthenticated attacker to create a denial-of-service condition in the vpxd service."

Patches for all of these exploits have already been made available for download. You can find out more information about each of these issues and gain access to the security patches, here.

Published Friday, October 02, 2015 3:17 PM by David Marshall
VMware Patches XSS Vulnerabilities in vRealize for Linux : @VMblog - (Author's Link) - March 17, 2016 4:35 PM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2015>