Data Centre

Patch NOW: VMware vCenter, ESXi can be pwned via your network

Remote-code execution danger on VM hosts

By Neil McAllister in San Francisco

3 SHARE

VMware is urging users of its vCenter Server and ESXi software to install its latest patches to plug vulnerabilities that can allow remote-code execution and denial of service.

The vCenter flaw was first spotted by Doug McLeod of Edinburgh-based security consultancy 7 Elements toward the beginning of the year, and the researchers have been working with VMware to come up with a fix ahead of Thursday's public disclosure.

The vulnerability, which affects vCenter Server versions 5.0 through 6.0 on all supported platforms, involves an improperly configured Java Management Extensions (JMX) service that can be manipulated remotely without authentication.

"The JMX service allows users to call the 'javax.management.loading.MLet' function, which permits the loading of an MBean [managed Java bean] from a remote URL," 7 Elements explained in a security notice. "An attacker can set up their remote Web Service to host an MLet (text file) that points to a malicious JAR file."

7 Elements has published proof-of-concept code that takes advantage the bug and says there are already at least two Metasploit modules and a standalone exploit for it.

A second bug in vCenter – this one spotted by researchers at Google – can allow an attacker to create a denial-of-service condition by sending the server a maliciously crafted message.

Along with the vCenter fixes, VMware has also identified and patched a vulnerability in its ESXi hypervisor software involving the OpenSLP service location protocol service. An attacker who exploits a memory management error in the software can potentially execute code on the ESXi host remotely.

This second flaw, which was spotted by researcher Qinghao Tang of Chinese security firm Qihoo 360, affects ESXi versions 5.0, 5.1, and 5.5. Version 6.0 is not affected.

Patches for all of the abovementioned bugs are available. Information on which patches are appropriate for which versions of ESXi and vCenter is available from VMware's security advisory, found here.

However, do watch out for patching to ESXi 5.5 Update 3 – this has a nasty bug that crashes guest virtual machines if you delete a snapshot. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Xen Project patches Intel’s Lazy FPU flaw, VMware doesn't need to

UPDATE Guest register states are readable, but the patch cavalry has arrived

Dell's hokey cokey IPO takes new turn – VMware in, VMware out....

Investor roadshow delayed as Mick D considers alternative plan

Party like it's 1989... SVGA code bug haunts VMware's house, lets guests flee to host OS

Malicious code in VMs can leap over ESXi, Workstation, Fusion hypervisor security

It's ESXi time for critical VMware patches

Three to do, pronto, unless you like guest-host escape mirth

The weekend starts here... right after you've installed these critical Cisco bug patches

Coding screwups for Prime Infrastructure and DNA Center admins to slurp up

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Get patching after team gets under the skin of OpenEMR

Oracle corrals and patches Struts 2 vulnerabilities

Big Red issues out-of-band patch for Apache and a few other urgent issues

Ever seen printer malware in action? Install this HP Ink patch – or you may find out

Firmware update tackles remote code bugs in InkJet machines

VMware, AWS preview database-on-vSphere

VMworld US Database ops need less 'muck' says AWS boss Andy Jassy

Virus screener goes down, Intel patches more chips, Pegasus government spying code spreads across globe

Roundup Plus: Gov pay sites take a dive, and more