28 July 2017
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1846 VMware VIX API VM Direct Access Function security issue 28 July 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware VIX API Publisher: VMware Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Increased Privileges -- Existing Account Resolution: Mitigation CVE Names: CVE-2017-4919 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2017-0012.html - --------------------------BEGIN INCLUDED TEXT-------------------- VMSA-2017-0012 VMware VIX API VM Direct Access Function security issue VMware Security Advisory Advisory ID: VMSA-2017-0012 Severity: Important Synopsis: VMware VIX API VM Direct Access Function security issue Issue date: 2017-07-27 Updated on: 2017-07-27 (Initial Advisory) CVE numbers: CVE-2017-4919 1. Summary VMware VIX API allows for direct access to Guest Operating Systems (Guest OSs) by vSphere users with limited privileges. 2. Relevant Products VMware vCenter Server 3. Problem Description VMware VIX API VM Direct Access Function security issue The VMware VIX API has a functionality that allows for direct access to Guests OSs which is used by VMware Site Recovery Manager, VMware Update Manager, and VMware Infrastructure Navigator to manage Guest OSs. This functionality may be used by vSphere users with limited privileges to access a Guest OS without the need to authenticate. In order for vSphere users with limited privileges to use this functionality, they would need to have all three of the following privileges: Virtual Machine -> Configuration -> Advanced Virtual Machine -> Interaction -> Guest Operating System Management by VIX API Host -> Configuration -> Advanced Settings Workaround Workarounds that remove the direct access to Guest OSs by vSphere users with limited privileges are listed in VMware Knowledge Base article 2151027. These workarounds are not relevant for vSphere users that are fully privileged. Typically they already have alternate ways to access Guest OSs. VMware would like to thank Ofri Ziv and Itamar Tal of Guardicore for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4919 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Running Severity Replace with/ Mitigation/ Version on Apply Patch Workaround vCenter Server 6.5 Any Important N/A KB 2151027 vCenter Server 6.0 Any Important N/A KB 2151027 vCenter Server 5.5 Any Important N/A KB 2151027 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. Apply the workaround listed in VMware Knowledge Base article 2151027. 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4919 VMware Knowledge Base article 2151027 https://kb.vmware.com/kb/2151027 6. Change log 2017-07-27 VMSA-2017-0012 Initial security advisory providing a workaround on 2017-07-27. 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: email@example.com firstname.lastname@example.org email@example.com E-mail: firstname.lastname@example.org PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2017 VMware Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWXp04ox+lLeg9Ub1AQg/TA/8D2DJK+R7syvwdcfcc+WdBigFxPwvhiBs 73TphhFTlHmOFXd+ltjb4Ss05l51n5x6Aj0iGGjEzJBI7E7YOH9mvJz86AkGsjpc cOdHqkbayrUaCUaAuZpCioJYx4DtLpTu+Kq4Ex4yHUDMOlqE0xiF4ffbOzztHFDt 3cI0qjk4vgy4iU06O4Tum3vpBJMqeQMf+qJBqlJe0NDvIG1cwulq9eSuP7hMcaEm V1iAmxmjMG8tseSCj7H84xFTsISgfVD3uT0Skmfqs/AGLPgalobglD1RaAu2GgND dtgfWEnvbV1OOUy4t6ZVDy/FgIykslnRjuZYrPpovgOOTbkm0EBqtUHateFbhotC 4e8QAn3jDtUYG345WkNLGb0DmuXgtcepCl7JBGdu+ADMTzs21SsgoLOdcj7jBomI mzkRrElP0/B5Al+qJ/VnGTMavvpMDKzSkGQuhgBH8jWVbO+a4MfmPB4FDsaA45HO J77s4XKxieuWtx8lOX9gxsOeHMHuMIGLUm6MN7QSSdNbIaNShCSnC5y9UhbjPQEJ Dd2Aqfddzh5tjLqm4Blp7OsueXLsPLe07tsQUWVKzP0e/2GctDcIDLtpADMwNeZe IUheoeLMk18LhEp82tpo3o2X/jeKVS/UOYoZp8F31BYcNrS+bG5T41WQfVsbHpZH UeoKPuuoM8k= =TTAO -----END PGP SIGNATURE-----