Seriously, VMware? Two bugs in the week before Christmas?
Virtzilla fixes known password for vSphere Data Protection, XSS SNAFU in ESX and buys bits of SDN outfit PLUMgrid too
Bah humbug! VMware's just revealed two nasty bugs that it recommends you fix at your earliest convenience.
VMSA-2016-0024 is rated critical because vSphere Data Protection (VDP) turns out to contain “a private SSH key with a known password that is configured to allow key-based authentication.”
And what can an attacker do with that password? Why, “log into the appliance with root privileges,” of course. VDP version 5.5 through 6.1 have the problem, which can be addressed using the procedure detailed here.
VMSA-2016-0023 is rated important. VMware describes it as follows:
The ESXi Host Client contains a vulnerability that may allow for stored cross-site scripting (XSS). The issue can be introduced by an attacker that has permission to manage virtual machines through ESXi Host Client or by tricking the vSphere administrator to import a specially crafted VM. The issue may be triggered on the system from where ESXi Host Client is used to manage the specially crafted VM.
Virtzilla “advises not to import VMs from untrusted sources” until you fix it. Which you need to do if running ESXi versions 5.5 and 6.0.
VMware's also acquired some people and assets from software-defined networking startup PLUMgrid. Founded by former Cisconauts and venture-backed, PLUMgrid tried to improve data centre security and management. ®