As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week there is a new critical alert that requires the mission-critical community’s immediate attention.
Advisory Overview
VMware released an advisory detailing newly discovered vulnerabilities across multiple products. The severity of these vulnerabilities varies but included among them is a remote code execution vulnerability that received a Common Vulnerability Scoring System (CVSS) score of 9.8, which is considered critical. As a result, VMware released patches for these vulnerabilities, and it is recommended that any affected systems implement workarounds or update to fixed versions of the software.
What is the threat?
Several vulnerabilities were discovered across three VMware products: ESXI, vCenter Server and Cloud Foundation. The first vulnerability is in the vSphere Client (HTML5)[1] and stems from a vCenter Server plugin that allows for remote code execution. A malicious actor with network access to port 443 can execute commands with unrestricted privileges on vCenter Server’s operating system.
The second vulnerability relates to a heap-overflow vulnerability in ESXI stemming from OpenSLP.[2] A malicious actor with access to the network segment on which ESXI resides and access to port 427 could cause a heap-overflow issue with the OpenSLP service. This in turn can result in remote code execution.
The final vulnerability is in the vSphere Client (HTML5) that contains a server-side request forgery (SSRF) vulnerability due to improper uniform resource locator (URL) validation in a vCenter Server plugin. A malicious actor with network access to port 443 could exploit this vulnerability with a POST[3] request to that particular vCenter Server plugin. This can result in disclosure of private information.
Why is this noteworthy?
VMware is one of the most common names in cloud computing and virtualization, and vulnerabilities in its various virtualization platforms and software affect a sizable subset of all organizations, technology-based or otherwise. The severity score of the vSphere Client vulnerability—CVSS 9.8—falls into the “critical” range, which means that it poses an extreme threat to any affected organization. This score is calculated with a large number of factors in mind, including the attack vector, attack complexity, required privileges, requirements to remediate, and impact on the CIA triad (confidentiality, integrity and availability), to name only a few. The remaining two vulnerabilities are at 8.8 (important) and 5.3 (moderate) on the CVSS scale, respectively.
What is the exposure?
The critical vulnerability with the vCenter Server plugin and vSphere, which enables remote code execution, poses an immediate and grave risk to any affected system. If an attacker were able to exploit this vulnerability, they could execute code with unrestricted privileges, meaning almost any malicious action the attacker wanted to take would be possible. If a vCenter Server instance were compromised in this way, it could lead to the compromise of all virtual machines managed by that instance.
Meanwhile, the exploitation of the ESXI vulnerability would have a more localized impact, as it is unlikely to affect as many virtual machines. The last vulnerability has a significantly less dangerous worst-case scenario; while it could result in the disclosure of information, it will not directly compromise machines.
What are the recommendations?
VMware released updates that remediate all of the issues listed within this article. VMware has provided within its own advisory both workarounds and the versions of the applications in which these vulnerabilities are remediated. VMware’s original advisory with this information can be found here:
Author Bio[1] Hypertext Markup language, version 5, a markup language used to structure and present web content.
[2] Service Location Protocol, which enables computers and other devices to find services in a local area network without prior configuration.
[3] Power on, self-test.