VMware has released a slew of patches that fix vulnerabilities in a number of its products, including vCenter Server, vCenter Server Appliance, vSphere Update Manager, ESX and ESXi. Some of the flaws can lead to authentication bypass or denial of service on affected products.
The most serious vulnerability is a bug in vCenter Server 5.0 and 5.1 that could enable an attacker to bypass the need for valid credentials under some circumstances. In order for the vulnerability to be exploitable, the affected product must be deployed in an Active Directory environment, VMware said.
“vCenter Server when deployed in an environment that uses Active Directory (AD) with anonymous LDAP binding enabled doesn’t properly handle login credentials. In this environment, authenticating to vCenter Server with a valid user name and a blank password may be successful even if a non-blank password is required for the account,” the advisory says.
“The issue is present on vCenter Server 5.1, 5.1a and 5.1b if AD anonymous LDAP binding is enabled. The issue is addressed in vCenter Server 5.1 Update 1 by removing the possibility to authenticate using blank passwords. This change in the authentication mechanism is present regardless if anonymous binding is enabled or not.”
There also is a session fixation vulnerability in the vSphere Web Client Server through which an attacker could gain privilege escalation. Exploiting the vulnerability requires some knowledge of the target user’s session, however.
“The VMware vSphere Web Client Server contains a vulnerability in the handling of session IDs. To exploit this vulnerability, an attacker must know a valid session ID of an authenticated user,” the VMware advisory says.
The vulnerability in ESX and ESXi is a flaw in hostd-vmdb that could allow an attacker to cause a denial-of-service condition. In order to exploit this flaw, an attacker would need to intercept and modify the management traffic. The company also updated a number of third-party libraries, including OpenSSL, in several of its products.