SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware vCenter Vendors:   VMware
VMware vCenter Server Bugs Let Remote Users Bypass Authentication and Remote Authenticated Users Upload Arbitrary Files and Execute Files on the Target System
SecurityTracker Alert ID:  1028475
SecurityTracker URL:  http://securitytracker.com/id/1028475
CVE Reference:   CVE-2013-3107, CVE-2013-3079, CVE-2013-3080   (Links to External Site)
Date:  Apr 26 2013
Impact:   Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): vCenter Server 5.1
Description:   Several vulnerabilities were reported in VMware vCenter Server. A remote user can bypass authentication. A remote authenticated user can upload arbitrary files. A remote authenticated user can execute files located on the target system.

When vCenter Server is deployed with Active Directory (AD) with anonymous LDAP binding enabled, a remote user can supply a valid username and blank password to authenticate as the target username [CVE-2013-3107].

A remote authenticated user on the Virtual Appliance Management Interface (VAMI) of a target vCenter Server Appliance can execute an existing file on the target device with root privileges [CVE-2013-3079].

A remote authenticated user on the VAMI web interface can upload arbitrary files to arbitrary locations on the target device [CVE-2013-3080]. This can also be exploited to overwrite existing files.

Impact:   A remote user can bypass authentication.

A remote authenticated user can upload arbitrary files.

A remote authenticated user can execute files located on the target system.

Solution:   The vendor has issued a fix (5.1 Update 1).

The vendor's advisory is available at:

http://www.vmware.com/security/advisories/VMSA-2013-0006.html

Vendor URL:  www.vmware.com/security/advisories/VMSA-2013-0006.html (Links to External Site)
Cause:   Access control error, Authentication error

Message History:   None.


 Source Message Contents

Subject:  [Security-announce] VMSA-2013-0006 VMware security updates for vCenter Server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2013-0006
Synopsis:    VMware security updates for vCenter Server
Issue date:  2013-04-25
Updated on:  2013-04-25 (initial advisory)
CVE number:  CVE-2013-3107, CVE-2013-3079, CVE-2013-3080
             --- tomcat --- 
             CVE-2012-5885, CVE-2012-5886, CVE-2012-5887, CVE-2012-2733,
             CVE-2012-4534, CVE-2012-3546, CVE-2012-4431            
             --- JRE --- 
             See references
- -----------------------------------------------------------------------

1. Summary

   VMware has updated vCenter Server Appliance (vCSA) and vCenter 
   Server running on Windows to address multiple security 
   vulnerabilities.  

2. Relevant releases

   vCenter Server 5.1 without Update 1

3. Problem Description

   a. vCenter Server AD anonymous LDAP binding credential by-pass


      vCenter Server when deployed in an environment that uses 
      Active Directory (AD) with anonymous LDAP binding enabled
      doesn't properly handle login credentials. In this
      environment, authenticating to vCenter Server with a valid
      user name and a blank password may be successful even if 
      a non-blank password is required for the account. 

      The issue is present on vCenter Server 5.1, 5.1a and 5.1b
      if AD anonymous LDAP binding is enabled. The issue is 
      addressed in vCenter Server 5.1 Update 1 by removing the
      possibility to authenticate using blank passwords. This
      change in the authentication mechanism is present 
      regardless if anonymous binding is enabled or not.

      Workaround
      The workaround is to discontinue the use of AD anonymous
      LDAP binding if it is enabled in your environment. AD 
      anonymous LDAP binding is not enabled by default. The TechNet
      article listed in the references section explains how to 
      check for anonymous binding (look for "anonymous binding"
      in the article: anonymous binding is enabled if the seventh
      bit of the dsHeuristics attribute is set to 2)


      The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
      assigned the name CVE-2013-3107 to this issue. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available. 


        VMware		Product	Running	Replace with/
        Product		Version	on	Apply Patch
        =============	=======	=======	=================
        vCenter Server	5.1	Any	5.1 Update 1
        vCenter Server	5.0	Any	not applicable
	vCenter	Server	4.1	Windows	not applicable
	vCenter	Server	4.0	Windows	not applicable
	VirtualCenter	2.5	Windows	not applicable
	

   b. vCenter Server Appliance arbitrary file execution


      The vCenter Server Appliance (vCSA) contains a remote code 
      vulnerability. An authenticated attacker with access to the 
      Virtual Appliance Management Interface (VAMI) may run 
      an existing file as root. In the default vCSA setup, 
      authentication to vCSA is limited to root since root 
      is the only defined user.

      The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
      assigned the name CVE-2013-3079 to this issue. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available. 


        VMware		Product	Running	Replace with/
        Product		Version	on	Apply Patch
        =============	=======	=======	=================
        vCSA 		5.1	Linux 	5.1 Update 1
	vCSA 		5.0 	Linux 	not affected

   c. vCenter Server Appliance arbitrary file upload

      The vCenter Server Appliance (vCSA) VAMI web interface 
      contains a vulnerability that allows an authenticated remote
      attacker to upload files to an arbitrary location creating new
      files or overwriting existing files. Replacing certain files
      may result in a denial of service condition or code execution.
      In the default vCSA setup, authentication to vCSA is limited to
      root since root is the only defined user.


      The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
      assigned the name CVE-2013-3080 to this issue. 

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available. 


        VMware		Product	Running	Replace with/
        Product		Version	on	Apply Patch
        =============	=======	=======	=================
        vCSA 		5.1	Linux 	5.1 Update 1
	vCSA 		5.0 	Linux 	not affected


   d. vCenter, Update Manager, Oracle (Sun) JRE update 1.6.0_37
      
      Oracle (Sun) JRE is updated to version 1.6.0_37, which addresses
      multiple security issues that existed in earlier releases of
      Oracle (Sun) JRE. 

      Oracle has documented the CVE identifiers that are addressed
      in JRE 1.6.0_37 in the Oracle Java SE Critical Patch Update
      Advisory of October 2012. The References section provides a
      link to this advisory. 

      Column 4 of the following table lists the action required to 
      remediate the vulnerability in each release, if a solution is
      available. 

        VMware		Product	Running	Replace with/
        Product		Version	on	Apply Patch
        =============	=======	=======	=================
        vCenter	Server	5.1	Windows	5.1 Update 1
        vCenter	Server	5.0	Windows	patch pending
	vCenter	Server	4.1	Windows	patch pending
	vCenter	Server	4.0	Windows	not applicable **
	VirtualCenter	2.5	Windows	not applicable **

	Update Manager	5.1	Windows	5.1 Update 1
	Update Manager	5.0	Windows	patch pending
	Update Manager	4.1	Windows	not applicable **
	Update Manager	4.0	Windows	not applicable **

	hosted *	any	any	not affected

	ESXi		any	ESXi	not applicable

	ESX		4.1	ESX	Patch Pending
	ESX		4.0	ESX	not applicable **
        ESX		3.5	ESX	not applicable **

	* hosted products are VMware Workstation, Player, ACE, Fusion. 

	** this product uses the Oracle (Sun) JRE 1.5.0 family


   e. vCenter Server tc-server 2.8.1 / Apache Tomcat 6.0.36 update

      tc-server has been updated to version 2.8.1 to address multiple
      security issues. This version of tc-server includes Apache 
      Tomcat 6.0.36 

      The Common Vulnerabilities and Exposures project (cve.mitre.org) 
      has assigned the names CVE-2012-5885, CVE-2012-5886, CVE-2012-5887,
      CVE-2012-2733, CVE-2012-4534, CVE-2012-3546 and CVE-2012-4431
      to these issues. 

        VMware	Product	Running	Replace with/
        Product	Version	on	Apply Patch
        =============	=======	=======	=================
        vCenter	Server	5.1	Any     5.1 Update 1 *
	vCenter	Server	5.0	Any	not affected
        vCenter	Server	4.1	Windows	not affected
        vCenter	Server	4.0	Windows	not affected
	VirtualCenter	2.5	Windows	not applicable *** 	
 	 	 
        hosted **	any	any	not affected
 	 	 	 
        ESXi		any	ESXi	not applicable
 	 	 	 
        ESX		4.1	ESX	not affected
        ESX		4.0	ESX	not affected
        ESX		3.5	ESX	not applicable ***
        

      * Only CVE-2012-2733 and CVE-2012-4534 affect vCenter Server 5.1

      ** hosted products are VMware Workstation, Player, ACE, Fusion. 

      *** this product uses the Apache Tomcat 5.5 family

 4. Solution

   vCenter Server 5.1 Update 1 
   --------------------- 
   Download link: 
  
https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_
vsphere/5_1 

   Release Notes: 
  
http://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-51u1-rele
ase-notes.html

   
5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3107
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3079
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3080

   --------- jre --------- 
   Oracle Java SE Critical Patch Update Advisory of October 2012 
  
http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.ht
ml

   --------- tomcat --------- 
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5885
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5886
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5887
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2733
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4534
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3546
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4431

   TechNet: How Active Directory Searches Work
   http://technet.microsoft.com/en-us/library/cc755809.aspx


- -----------------------------------------------------------------------

6. Change log

   2013-04-25 VMSA-2013-0006
   Initial security advisory in conjunction with the release of VMware
   vSphere 5.1 Update 1 on 2013-04-25.

- - - -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
   
   This Security Advisory is posted to the following lists:
   
     * security-announce at lists.vmware.com
     * bugtraq at securityfocus.com
     * full-disclosure at lists.grok.org.uk
   
   E-mail:  security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055
   
   VMware Security Advisories
   http://www.vmware.com/security/advisories
   
   VMware security response policy
   http://www.vmware.com/support/policies/security_response.html
   
   General support life cycle policy
   http://www.vmware.com/support/policies/eos.html
   
   VMware Infrastructure support life cycle policy
   http://www.vmware.com/support/policies/eos_vi.html
   
   Copyright 2013 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFRefQMDEcm8Vbi9kMRArsrAKDpmD9oJi0iI7MkwlLOFdrGflvREwCeLOFM
mloJec6I1NPI2F/zNHnADJE=
=r5e8
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC