Patch NOW: VMware vCenter, ESXi can be pwned via your network
Remote-code execution danger on VM hosts
VMware is urging users of its vCenter Server and ESXi software to install its latest patches to plug vulnerabilities that can allow remote-code execution and denial of service.
The vCenter flaw was first spotted by Doug McLeod of Edinburgh-based security consultancy 7 Elements toward the beginning of the year, and the researchers have been working with VMware to come up with a fix ahead of Thursday's public disclosure.
The vulnerability, which affects vCenter Server versions 5.0 through 6.0 on all supported platforms, involves an improperly configured Java Management Extensions (JMX) service that can be manipulated remotely without authentication.
"The JMX service allows users to call the 'javax.management.loading.MLet' function, which permits the loading of an MBean [managed Java bean] from a remote URL," 7 Elements explained in a security notice. "An attacker can set up their remote Web Service to host an MLet (text file) that points to a malicious JAR file."
7 Elements has published proof-of-concept code that takes advantage the bug and says there are already at least two Metasploit modules and a standalone exploit for it.
A second bug in vCenter – this one spotted by researchers at Google – can allow an attacker to create a denial-of-service condition by sending the server a maliciously crafted message.
Along with the vCenter fixes, VMware has also identified and patched a vulnerability in its ESXi hypervisor software involving the OpenSLP service location protocol service. An attacker who exploits a memory management error in the software can potentially execute code on the ESXi host remotely.
This second flaw, which was spotted by researcher Qinghao Tang of Chinese security firm Qihoo 360, affects ESXi versions 5.0, 5.1, and 5.5. Version 6.0 is not affected.
Patches for all of the abovementioned bugs are available. Information on which patches are appropriate for which versions of ESXi and vCenter is available from VMware's security advisory, found here.
However, do watch out for patching to ESXi 5.5 Update 3 – this has a nasty bug that crashes guest virtual machines if you delete a snapshot. ®