VMware Security Updates Address Potential Man-in-the-Middle Attack

In the latter half of last week VMware released security updates for the following products:

  • vCenter Server v6.0 (prior to 6.0 U2)
  • vCenter Server 5.5 U3a – U3c
  • vCloud Director version 5.5.5 for Windows
  • vRealize Automation Identity Appliance version 6.2.4 for Linux
  • Client Integration Plugin for Apple Mac OS X and Windows

These updates resolve a potential man-in-the-middle-attack (MiTM)(defined) that is caused by an error in how the VMware Client Integration Plugin handles session content. This issue was assigned the CVE number (defined) CVE-2016-2076

Why Should This Issue Be Considered Important?
If an attacker were to successfully exploit this issue it may lead to the disclosure of the information within the client session between the server (as a result of the man-in-the-middle-attack). This issue could also result in the session between the client and the server becoming hijacked if the user of the vSphere Web Client were to visit a malicious website.

How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

Please note that both the server side (namely (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance) and client side devices (i.e. Client Integration Plugin (CIP) of the vSphere Web Client) that communicate during a session must be separately updated to protect against this issue.

A step by install checklist to perform these updates for the affected products is also provided in the above mentioned advisory.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s