VMware fixed two critical vulnerabilities in its vSphere Data Protection solution this week that could have allowed an attacker to execute commands on the virtual appliance, among other outcomes.
The Department of Homeland Security’s CERT encouraged users and admins on Wednesday to apply the updates.
vSphere Data Protection is a backup solution for use in vSphere environments, and is usually run in tandem with VMware’s vCenter Server and vSphere Web Client.
According to a security advisory published Tuesday, the product suffers from a Java deserialization issue that could let a remote attacker execute commands. Tim Roberts, Arthur Chilipweli, and Kelly Correll, security consultants at NTT Security, uncovered the vulnerability, according to the advisory.
VMware also warned of a second vulnerability in VDP pertaining to how it stores credentials. According to the advisory, VDP stores credentials from vCenter Server using reversible encryption, something that could allow plaintext credentials be obtained.
While VMware didn’t go into detail on the vulnerability, using reversible encryption has one primary risk: if the key is ever compromised, the data can be compromised as well. In situations where reversible encryption is supported the corresponding key needs to be stored securely, protected from corruption, retrieved – and protected – during use, and periodically replaced.
Traditionally using reversible encryption is not permissible unless the needs of the app outweigh the need to protect information.
Marc Ströbel, a security consultant with HvS-Consulting, based in Germany, discovered the vulnerability (CVE-2017-4917). Ströbel uncovered a similar critical issue in VDP in December. The solution was found to contain a private SSH key with a known password that was configured to allow key-based authentication. If exploited the issue could have let an unauthorized remote attacker to log into the appliance with root privileges.
The company is encouraging users running versions 6.1.x, 6.0.x, 5.8.x, and 5.5.x to update to the newest versions, 6.1.4, 6.0.5, 6.0.5, and 6.0.5 respectively, to address both the deserialization issue and the reversible encryption issue.
It’s the first time that VDP has received an update since that December SSH key issue, but the tenth time this year VMware has patched vulnerabilities in its products. The company last pushed patches three weeks ago for its Workstation software. Those vulnerabilities could have led to the escalation of privileges to root or the triggering of a denial of service vulnerability.