Patch NOW: VMware vCenter, ESXi can be pwned via your network

Remote-code execution danger on VM hosts

By Neil McAllister in San Francisco

Posted in Data Centre, 1st October 2015 21:01 GMT

VMware is urging users of its vCenter Server and ESXi software to install its latest patches to plug vulnerabilities that can allow remote-code execution and denial of service.

The vCenter flaw was first spotted by Doug McLeod of Edinburgh-based security consultancy 7 Elements toward the beginning of the year, and the researchers have been working with VMware to come up with a fix ahead of Thursday's public disclosure.

The vulnerability, which affects vCenter Server versions 5.0 through 6.0 on all supported platforms, involves an improperly configured Java Management Extensions (JMX) service that can be manipulated remotely without authentication.

"The JMX service allows users to call the 'javax.management.loading.MLet' function, which permits the loading of an MBean [managed Java bean] from a remote URL," 7 Elements explained in a security notice. "An attacker can set up their remote Web Service to host an MLet (text file) that points to a malicious JAR file."

7 Elements has published proof-of-concept code that takes advantage the bug and says there are already at least two Metasploit modules and a standalone exploit for it.

A second bug in vCenter – this one spotted by researchers at Google – can allow an attacker to create a denial-of-service condition by sending the server a maliciously crafted message.

Along with the vCenter fixes, VMware has also identified and patched a vulnerability in its ESXi hypervisor software involving the OpenSLP service location protocol service. An attacker who exploits a memory management error in the software can potentially execute code on the ESXi host remotely.

This second flaw, which was spotted by researcher Qinghao Tang of Chinese security firm Qihoo 360, affects ESXi versions 5.0, 5.1, and 5.5. Version 6.0 is not affected.

Patches for all of the abovementioned bugs are available. Information on which patches are appropriate for which versions of ESXi and vCenter is available from VMware's security advisory, found here.

However, do watch out for patching to ESXi 5.5 Update 3 – this has a nasty bug that crashes guest virtual machines if you delete a snapshot. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Oracle says SPARCv9 has Spectre CPU bug, patches coming soon

Big Red finally delivers patches for its x86 boxes – and 230-plus other problems

Telstra's mobile networks go TOESUP* in national outage

Updated That's 'Total Outage Ends Support for Usual Performance', natch

Security bods liberate EITest malware slaves

Miscreants' command and control network traffic sent down sinkhole

VMware-on-AWS coming to Frankfurt, Sydney, Japan, with vMotion between regions too

Virtzilla's Amazonian cloud is also tooling up for managed services providers

VMware and Microsoft make up and get NSX-y together

Virtzilla's virtual cloud networking push is on and Switchzilla is in its sights

Legacy kit, no antivirus, weak crypto. Yep. They're talking critical industrial networks

Report shows they're ripe targets for hackers

No one still thinks iOS is invulnerable to malware, right? Well, knock it off

As platform's popularity rose, so did its allure to miscreants

Siemens patches one security vuln, leaves folks to block second

LOGO owners on alert

Researchers create AI attacker to defeat AI malware defender

It's like Spy Vs Spy, but with neural network boffins

VMware pushes NSX deeper into containers, security

Microsegmentation for microservices, plus automated key management for all those tiny, transient networks