Mike Kiev - Fotolia
VMware has patched critical vulnerabilities in vSphere Data Protection. What caused these VMware vulnerabilities? Besides applying the patches, what else can be done to mitigate them?
VMware vSphere Data Protection (VDP) is a backup and recovery product that is deployed as a virtual appliance. It runs a Linux guest operating system and works with VMware vCenter Server.
Together, two VMware vulnerabilities in VDP could enable an unauthenticated attacker to execute commands on the virtual appliance. The main player points to VDP's Java deserialization vulnerability (CVE-2017-4914). This discovery is attributed to Tim Roberts, Arthur Chilipweli and Kelly Correll, security consultants at NTT Security.
Java deserialization is a technique many programming languages use to transport complex data over a network. At one end, this technique breaks down a Java object into a series of bytes. It reassembles them into the Java object at the other end.
When Java objects are not validated for their trustworthiness before they are deserialized, untrusted data may be introduced. To access the data that has been deserialized, the attacker would need to root the target system. After gaining escalated privileges, the attacker could exploit the reversible encryption vulnerability (CVE-2017-4917). Impacted VDP versions use reversible encryption to locally store credentials from vCenter Server, which makes these VMware vulnerabilities particularly dangerous.
One risk is that reversible encryption may show plaintext credentials. The attacker could use these credentials to remotely log in, change the code in the object and, in the worst scenario, launch a denial-of-service attack.
To prevent these VMware vulnerabilities, network administrators should:
- Apply proper VMware updates to VDP 6.1.x, 6.0.x, 5.8.x and 5.5.x. VDP 6.1.x has been replaced with VDP 6.1.4. The other versions have been replaced with VDP 6.0.5.
- Ensure trusted users have proper network access levels.
- Ensure Java programmers have the proper skills to avoid the Java deserialization issue.
- Audit Java objects to determine if they are safe to use.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Compare the versions of vSphere Data Protection to find which is best for your organization
Learn how to deal with capacity issues in VMware VDP
Find out what VMware vCenter Server can do for enterprises
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Judith Myerson
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.