Mike Kiev - Fotolia
How can VMware vulnerabilities in vSphere expose credentials?
Two VMware vulnerabilities in vSphere Data Protection were recently patched. Expert Judith Myerson explains how the flaws work and how to defend against them.
VMware has patched critical vulnerabilities in vSphere Data Protection. What caused these VMware vulnerabilities? Besides applying the patches, what else can be done to mitigate them?
VMware vSphere Data Protection (VDP) is a backup and recovery product that is deployed as a virtual appliance. It runs a Linux guest operating system and works with VMware vCenter Server.
Together, two VMware vulnerabilities in VDP could enable an unauthenticated attacker to execute commands on the virtual appliance. The main player points to VDP's Java deserialization vulnerability (CVE-2017-4914). This discovery is attributed to Tim Roberts, Arthur Chilipweli and Kelly Correll, security consultants at NTT Security.
Java deserialization is a technique many programming languages use to transport complex data over a network. At one end, this technique breaks down a Java object into a series of bytes. It reassembles them into the Java object at the other end.
When Java objects are not validated for their trustworthiness before they are deserialized, untrusted data may be introduced. To access the data that has been deserialized, the attacker would need to root the target system. After gaining escalated privileges, the attacker could exploit the reversible encryption vulnerability (CVE-2017-4917). Impacted VDP versions use reversible encryption to locally store credentials from vCenter Server, which makes these VMware vulnerabilities particularly dangerous.
One risk is that reversible encryption may show plaintext credentials. The attacker could use these credentials to remotely log in, change the code in the object and, in the worst scenario, launch a denial-of-service attack.
To prevent these VMware vulnerabilities, network administrators should:
- Apply proper VMware updates to VDP 6.1.x, 6.0.x, 5.8.x and 5.5.x. VDP 6.1.x has been replaced with VDP 6.1.4. The other versions have been replaced with VDP 6.0.5.
- Ensure trusted users have proper network access levels.
- Ensure Java programmers have the proper skills to avoid the Java deserialization issue.
- Audit Java objects to determine if they are safe to use.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Compare the versions of vSphere Data Protection to find which is best for your organization
Learn how to deal with capacity issues in VMware VDP
Find out what VMware vCenter Server can do for enterprises
Dig Deeper on Threats and vulnerabilities
Related Q&A from Judith Myerson
Site-to-site VPN security benefits and potential risks
Not every enterprise needs the functionality of a standard VPN client. A site-to-site VPN may be a better choice for some companies, but it's not ... Continue Reading
Should I worry about the Constrained Application Protocol?
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
How can I protect my self-encrypting drives?
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading