VMware Updates Address Flaws in vSphere Client
VMware has released updates to address two vulnerabilities in its vSphere Client. The first is a critical severity “remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in.” The second is a moderate-severity “vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins.”
Limit access to your vCenter infrastructure to authorized devices only, just as you would limit access to system consoles to prevent unauthorized attempts to “fiddle” with things. Note that the vulnerable Virtual SAN Health plugin is present even if you don’t have a VMware VSAN. The vulnerable plugins can be disabled by setting them to incompatible not disabled as a temporary mitigation; the long term fix is to rapidly apply the updates. There are three CVEs impacting five plugins. If you disable the plugins, they remain disabled after the patch until you explicitly re-enable them. Note that some third-party plugins may no longer function after the update as additional changes were made in vCenter Server to improve overall security.
Not only should you patch this flaw as soon as possible, but you should also double check that the vSphere console is not exposed to the Internet. Access should only be possible via a VPN or from a local management network. As a quick workaround: disable the vSAN client if you are not using it.
Here in Maryland the 17-year cicadas are coming out of the ground. When they last went underground in 2004, we were just recovering from the impact of Windows buffer overflow/input validation flaws being exploited in the Slammer/Blaster/Sasser and other attacks. Sad to see VMWare shipping software all these years later with those same well-known software development mistakes in such a mission critical product. Critical not just to patch your systems but to make sure your supply chain does so as well.
Input validation is difficult but necessary. Failure to do it properly is a continuing and widespread problem. It is aggravated by the fact that the developer cannot easily foresee the environment in which his code may run. It is simplified when the use of the input is tightly constrained, e.g., to a limited code set. Allowing special characters, especially in repetition or combination, which may trigger escape from processes down in the stack, is particularly dangerous. Anecdotal evidence suggests that input validation is not taught in training programs, or even in colleges and universities.
William Hugh Murray
Read more in
The Register: VMware reveals critical vCenter hole it says ‘needs to be considered at once’
ZDNet: Patch immediately: VMware warns of critical remote code execution hole in vCenter
Ars Technica: Vulnerability in VMware product has severity rating of 9.8 out of 10
Threatpost: VMware Sounds Ransomware Alarm Over Critical Severity Bug
Bleeping Computer: VMware warns of critical bug affecting all vCenter Server installs