Q
Problem solve Get help with specific problems with your technologies, process and projects.

How can VMware vulnerabilities in vSphere expose credentials?

Two VMware vulnerabilities in vSphere Data Protection were recently patched. Expert Judith Myerson explains how the flaws work and how to defend against them.

VMware has patched critical vulnerabilities in vSphere Data Protection. What caused these VMware vulnerabilities?...

Besides applying the patches, what else can be done to mitigate them?

VMware vSphere Data Protection (VDP) is a backup and recovery product that is deployed as a virtual appliance. It runs a Linux guest operating system and works with VMware vCenter Server.

Together, two VMware vulnerabilities in VDP could enable an unauthenticated attacker to execute commands on the virtual appliance. The main player points to VDP's Java deserialization vulnerability (CVE-2017-4914). This discovery is attributed to Tim Roberts, Arthur Chilipweli and Kelly Correll, security consultants at NTT Security.

Java deserialization is a technique many programming languages use to transport complex data over a network. At one end, this technique breaks down a Java object into a series of bytes. It reassembles them into the Java object at the other end.

When Java objects are not validated for their trustworthiness before they are deserialized, untrusted data may be introduced. To access the data that has been deserialized, the attacker would need to root the target system. After gaining escalated privileges, the attacker could exploit the reversible encryption vulnerability (CVE-2017-4917). Impacted VDP versions use reversible encryption to locally store credentials from vCenter Server, which makes these VMware vulnerabilities particularly dangerous.

One risk is that reversible encryption may show plaintext credentials. The attacker could use these credentials to remotely log in, change the code in the object and, in the worst scenario, launch a denial-of-service attack.

To prevent these VMware vulnerabilities, network administrators should:

  • Apply proper VMware updates to VDP 6.1.x, 6.0.x, 5.8.x and 5.5.x. VDP 6.1.x has been replaced with VDP 6.1.4. The other versions have been replaced with VDP 6.0.5.
  • Ensure trusted users have proper network access levels.
  • Ensure Java programmers have the proper skills to avoid the Java deserialization issue.
  • Audit Java objects to determine if they are safe to use.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Compare the versions of vSphere Data Protection to find which is best for your organization

Learn how to deal with capacity issues in VMware VDP

Find out what VMware vCenter Server can do for enterprises

This was last published in August 2017

Dig Deeper on Emerging cyberattacks and threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close