VMware has patched critical vulnerabilities in vSphere Data Protection. What caused these VMware vulnerabilities?...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Besides applying the patches, what else can be done to mitigate them?
VMware vSphere Data Protection (VDP) is a backup and recovery product that is deployed as a virtual appliance. It runs a Linux guest operating system and works with VMware vCenter Server.
Together, two VMware vulnerabilities in VDP could enable an unauthenticated attacker to execute commands on the virtual appliance. The main player points to VDP's Java deserialization vulnerability (CVE-2017-4914). This discovery is attributed to Tim Roberts, Arthur Chilipweli and Kelly Correll, security consultants at NTT Security.
Java deserialization is a technique many programming languages use to transport complex data over a network. At one end, this technique breaks down a Java object into a series of bytes. It reassembles them into the Java object at the other end.
When Java objects are not validated for their trustworthiness before they are deserialized, untrusted data may be introduced. To access the data that has been deserialized, the attacker would need to root the target system. After gaining escalated privileges, the attacker could exploit the reversible encryption vulnerability (CVE-2017-4917). Impacted VDP versions use reversible encryption to locally store credentials from vCenter Server, which makes these VMware vulnerabilities particularly dangerous.
One risk is that reversible encryption may show plaintext credentials. The attacker could use these credentials to remotely log in, change the code in the object and, in the worst scenario, launch a denial-of-service attack.
To prevent these VMware vulnerabilities, network administrators should:
- Apply proper VMware updates to VDP 6.1.x, 6.0.x, 5.8.x and 5.5.x. VDP 6.1.x has been replaced with VDP 6.1.4. The other versions have been replaced with VDP 6.0.5.
- Ensure trusted users have proper network access levels.
- Ensure Java programmers have the proper skills to avoid the Java deserialization issue.
- Audit Java objects to determine if they are safe to use.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Compare the versions of vSphere Data Protection to find which is best for your organization
Learn how to deal with capacity issues in VMware VDP
Find out what VMware vCenter Server can do for enterprises
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Judith Myerson
Knowing what ransomware recovery methods are available is important as the threat continues to grow. Expert Judith Myerson outlines what the NIST ...continue reading
QNAP vulnerabilities in NAS enabled attackers to control devices. Expert Judith Myerson explains each of the QNAP NAS vulnerabilities and their fixes.continue reading
A vulnerability in Rufus software put some enterprise systems at risk. Expert Judith Myerson explains the flaw and the available fixes for ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.