Virtualization Technology News and Information
Article
RSS
VMware Patches Man-in-the-Middle and Web Session Hijack Vulnerability

Hacking 

ATTN: VMware administrators.  Do you have plans this afternoon?  What about this weekend? 

"Patch now!" is the word coming down from the VMware mothership after the company revealed a new security flaw (VMSA-2016-0004) this week in the VMware Client Integration Plug-in that if exploited by an attacker could lead to a man-in-the-middle attack.

This announcement comes only a month after VMware announced a previous critical vulnerability, a cross-site scripting issue in vRealize for Linux

According to this latest advisory, the problem existed in VMware’s Client Integration plug-in, a collection of tools found in a handful of other products shipped by the virtualization giant, including some versions of its vCenter Server, vCloud Director and vRealize Automation Identity Appliance.  The plug-in helps users access a virtual machine’s console and is used in tandem with vSphere, VMware’s web client.

The issue is that the plug-in fails to handle session content in a safe way, something that could have allowed an attacker to carry out a Man-in-the-Middle attack or a Web session hijacking in case the user of the vSphere Web Client visits a malicious Web site.

In order to remediate the issue, both the server side (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance) AND the client side (i.e. CIP of the vSphere Web Client) would need to be updated.

Not all versions of the software are vulnerable.  So far, VMware has only identified: vCenter Server 6.0 (any 6.0 version prior to 6.0 U2); vCenter Server 5.5 U3a, U3b, U3c; vCloud Director 5.5.5; and vRealize Automation Identity Appliance 6.2.4.

Sounds like the recently announced HTML5 Web Client couldn't come soon enough.

Published Friday, April 15, 2016 4:02 PM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
top25
Calendar
<April 2016>
SuMoTuWeThFrSa
272829303112
3456789
10111213141516
17181920212223
24252627282930
1234567