ESB-2017.2875 - [Win][UNIX/Linux][Virtual] VMware vCenter Server: Multiple vulnerabilities 2017-11-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2875
         VMSA-2017-0017 VMware vCenter Server update resolves LDAP
                    DoS, SSRF and CRLF injection issues
                             13 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware vCenter Server
Publisher:         VMWare
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
                   VMware ESX Server
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-4929 CVE-2017-4928 CVE-2017-4927

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2017-0017.html

- --------------------------BEGIN INCLUDED TEXT--------------------

VMSA-2017-0017
VMware vCenter Server update resolves LDAP DoS, SSRF and CRLF injection issues
VMware Security Advisory
 
Advisory ID:
VMSA-2017-0017

Severity:
Moderate

Synopsis:
VMware vCenter Server update resolves LDAP DoS, SSRF and CRLF injection issues

Issue date:
2017-11-09

Updated on:
2017-11-09 (Initial Advisory)

CVE numbers:
CVE-2017-4927, CVE-2017-4928
 
1. Summary

VMware vCenter Server update resolves LDAP DoS, SSRF and CRLF injection issues

2. Relevant Products

    VMware vCenter Server

3. Problem Description

a. VMware vCenter Server LDAP Denial of Service (DoS).

VMware vCenter Server doesn't correctly handle specially crafted LDAP network
packets which may allow for remote DoS.

VMware would like to thank Honggang Ren of Fortinet's FortiGuard Labs for 
reporting this issue to us.   

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the identifier CVE-2017-4927 to this issue.

Column 5 of the following table lists the action required to remediate the 
vulnerability in each release, if a solution is available.

VMware Product	Product Version	Running on	Severity	Replace with/ Apply Patch	Workaround
vCenter Server	6.5		Any		Moderate	6.5 U1				None
vCenter Server	6.0		Any		Moderate	6.0 U3c				None
vCenter Server	5.5		Any		N/A		Not affected			N/A
 
b. SSRF and CRLF injection issues in vSphere Web client

The Flash-based vSphere Web Client (i.e. not the new HTML5-based vSphere 
Client) contains server side request forgery (SSRF) and CRLF injection issues
due to improper neutralization of URLs. An attacker may exploit these issues by
sending a POST request with modified headers towards internal services leading
to information disclosure.     

VMware would like to thank ricterzheng @ Tencent Yunding Lab for reporting this
issue to us. 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2017-4928 to this issue.

Column 5 of the following table lists the action required to remediate the
vulnerability in each release, if a solution is available.

VMware Product	Product Version	Running on	Severity	Replace with/ Apply Patch	Workaround
vCenter Server	6.5		Any		N/A		Not affected			N/A
vCenter Server	6.0		Any		Moderate	6.0 U3c				None
vCenter Server	5.5		Any		Moderate	5.5 U3f				None

4. Solution

Please review the patch/release notes for your product and version and verify
the checksum of your downloaded file.

VMware vCenter Server 6.5 U1

Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VC65U1&productId=614&rPId=17343

Documentation:
https://docs.vmware.com/en/VMware-vSphere/index.html
VMware vCenter Server 6.0 U3c

Downloads:
https://my.vmware.com/web/vmware/details?productId=491&downloadGroup=VC60U3

Documentation:         
https://docs.vmware.com/en/VMware-vSphere/index.html

VMware vCenter Server 5.5 U3f

Downloads:
https://my.vmware.com/web/vmware/details?productId=353&downloadGroup=VC55U3F

Documentation:  
https://docs.vmware.com/en/VMware-vSphere/index.html

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4927 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4928 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4929 

6. Change log

2017-11-09 VMSA-2017-0017
Initial security advisory in conjunction with the release of vCenter Server 6.0
U3c on 2017-11-09.

7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
 

This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
 
E-mail: security@vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog  
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2017 VMware Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWgkVKIx+lLeg9Ub1AQgIzw//WYSw/7oIQ6gQbkmovcrtij/O1LzDrcYn
U6DocQMVIF+AC4lSfIc/aMFeXirDYat3e8jkyFbfyZytLZpU9O9uSpW5En9iiHYa
Hqmal55/fyx8l71JCNmb9KTGGVh78YuY61nOy4rZq7GXtoxdFJCXm8gYSAnYNPpV
iG2BSEhTRXTeDJg3UmAVlP8NL0Nbp3DTbxCpBlIzOB0ZDY7fkN5sQeofRP4iEO9W
zTJwlHzNFPRANBIk3/Op8FN0754oLH9sE6oIRsxvSbKRktEHRewuUgGbZXUk0fsZ
9MmnQm82M2+587nYmmK4A0Li2eAXK78mELTcF9EmxKXwd0Mx0GWRoIKkBZ+08hst
eknp+1CvCmf9lrbsQH1rTB7U6KDyzck5SvYCpUWbnbBMHxaGD8FLSoJSMN9+unG3
nO9l1PnI/oidTI9dgYhm/5ddXoVvUKk/iSOwCM/UpZKWtVzcQsBPDtj0SSQHY3KV
E18XRQjWfBhAEh642NZULbauFRD0ND+mnfbPuib909JH1H1gdteqGYJUJnlIM8D6
jB+Mlt4W26SCUadEm++NULtgoIHtj3r1Wp7fdYb64wQnd38E2Ac4UE36y60fyC/h
2bD1yzFzGdnkwnaLp3zcNa+as9tnvIPJMBoghWAoOakmUvPw+ex/tOxvf6YJ5gh6
wuJzjfnIPu8=
=L4yu
-----END PGP SIGNATURE-----

« Back to bulletins