VMware Security Updates Address Information Disclosure Vulnerability

In the middle of last week VMware issued security updates for the following products:

VMware vCenter Server
VMware vCloud Director
VMware Horizon View

These updates address 1x information disclosure security vulnerability (CVE, defined). This vulnerability was responsibly disclosed (defined) by security researcher Matthias Kaiser from Code White.

Why Should This Issue Be Considered Important?
Since multiple VMware products have this vulnerability which could be used to leak the contents of sensitive files on your network, this issue should be patched as soon as possible.

This issue occurs since the XML (defined) parser (a program that analyzes data in a structured manner in order to create meaning from it) contained within Apache Flex BlazeDS 4.7.0 (and earlier) when passed a specifically crafted request parameter (a value to be placed into a program before it carries out a task) could be used to access the contents of a file on your network.

An example of the path (a means of locating/looking up a file starting from the root (beginning) of a file system and progressing towards the desired file) to such a file is shown on the final line of the first code snippet (paragraph) with the title “Disclosing /etc/passwd or other targeted files” of this article from OWASP.

Where etc/passwd is the password file of a Linux/Unix system that stores hashed (defined) user account credentials. Such an attack is called an XML External Entity (XXE) attack (defined). Most importantly, Code White within a blog post discussing this issue describe the issue as easy for an attacker to exploit.

How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

OWASP also list best practices to avoid XXE attacks in general with examples for many popular programming languages.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s