Threat Update
VMware has released an advisory detailing newly discovered vulnerabilities across multiple products, namely ESXI, vCenter Server and Cloud Foundation. The severity of these vulnerabilities varies but included among them is a remote code execution vulnerability that has received a “Critical” 9.8 CVSS score. VMware has at this time released patches for these vulnerabilities, and it is recommended that any affected systems either implement workarounds or update to fixed versions of the software at this time.
Technical Detail & Additional Information
WHAT IS THE THREAT?
Several vulnerabilities have been discovered across 3 different VMware products: ESXI, vCenter Server and Cloud Foundation. The first vulnerability is in the vSphere Client (HTML5) and stems from a vCenter Server plugin which allows for remote code execution. A malicious actor with network access to port 443 can execute commands with unrestricted privileges on vCenter Server’s operating system. The second vulnerability relates to a heap-overflow vulnerability in ESXI stemming from OpenSLP. A malicious actor with access to the network segment ESXI resides on and access to port 427 could cause a heap overflow issue with the OpenSLP service, which can result in remote code execution. The final vulnerability is in the vSphere Client (HTML5) which contains an SSRF (Server Side Request Forgery) vulnerability on account of improper URL validation in a vCenter Server plugin. A malicious actor with network access to port 443 could exploit this vulnerability with a POST request to that particular vCenter Server plugin which can result in disclosure of private information.
WHY IS IT NOTEWORTHY?
VMware is one of the most common names in cloud computing and virtualization, and vulnerabilities in their various virtualization platforms and software affect a sizable subset of all organizations, technology-based or otherwise. The severity first (and most impactful) vulnerability has been quantified with a CVSS score of 9.8, which falls into the “critical” range. This means it poses an extreme threat to any affected organization. This score is calculated with a large number of factors in mind, including the attack vector, attack complexity, required privileges, requirements to remediate and impact on the CIA triad to name only a few. The remaining two vulnerabilities are an 8.8 (important) and a 5.3 (moderate) on the CVSS scale, respectively.
WHAT IS THE EXPOSURE OR RISK?
The critical vulnerability with the vCenter Server plugin and vSphere that allows for remote code execution poses an immediate and grave risk to any affected system. If an attacker were able to exploit this vulnerability, they could execute code with unrestricted privileges, meaning almost any malicious action the attacker wanted to make would be possible. If a vCenter Server instance were compromised in this way, it could lead to the compromise of all virtual machines managed by that instance. The exploitation of the ESXI vulnerability would have a more localized impact, as it is unlikely to affect as many virtual machines. The last vulnerability has a significantly less dangerous worst-case, and while it could result in the disclosure of information it will not directly compromise machines.
WHAT ARE THE RECOMMENDATIONS?
VMware has released updates that remediate all of the issues listed within this article. VMware has provided within their own advisory both workarounds and the versions of the applications in which these vulnerabilities are remediated. VMware’s original advisory with this information can be found here:
References:
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.