Data Centre

Patch NOW: VMware vCenter, ESXi can be pwned via your network

Remote-code execution danger on VM hosts

By Neil McAllister in San Francisco

3 SHARE

VMware is urging users of its vCenter Server and ESXi software to install its latest patches to plug vulnerabilities that can allow remote-code execution and denial of service.

The vCenter flaw was first spotted by Doug McLeod of Edinburgh-based security consultancy 7 Elements toward the beginning of the year, and the researchers have been working with VMware to come up with a fix ahead of Thursday's public disclosure.

The vulnerability, which affects vCenter Server versions 5.0 through 6.0 on all supported platforms, involves an improperly configured Java Management Extensions (JMX) service that can be manipulated remotely without authentication.

"The JMX service allows users to call the 'javax.management.loading.MLet' function, which permits the loading of an MBean [managed Java bean] from a remote URL," 7 Elements explained in a security notice. "An attacker can set up their remote Web Service to host an MLet (text file) that points to a malicious JAR file."

7 Elements has published proof-of-concept code that takes advantage the bug and says there are already at least two Metasploit modules and a standalone exploit for it.

A second bug in vCenter – this one spotted by researchers at Google – can allow an attacker to create a denial-of-service condition by sending the server a maliciously crafted message.

Along with the vCenter fixes, VMware has also identified and patched a vulnerability in its ESXi hypervisor software involving the OpenSLP service location protocol service. An attacker who exploits a memory management error in the software can potentially execute code on the ESXi host remotely.

This second flaw, which was spotted by researcher Qinghao Tang of Chinese security firm Qihoo 360, affects ESXi versions 5.0, 5.1, and 5.5. Version 6.0 is not affected.

Patches for all of the abovementioned bugs are available. Information on which patches are appropriate for which versions of ESXi and vCenter is available from VMware's security advisory, found here.

However, do watch out for patching to ESXi 5.5 Update 3 – this has a nasty bug that crashes guest virtual machines if you delete a snapshot. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

Schadenfreude for UK mobile networks over the tumult at Carphone

Analysis That's what you get for selling unlocked phones

Oracle says SPARCv9 has Spectre CPU bug, patches coming soon

Big Red finally delivers patches for its x86 boxes – and 230-plus other problems

Brit mobile phone users want the Moon on a stick but then stay on same networks for aeons

How does that work?

Telstra's mobile networks go TOESUP* in national outage

Updated That's 'Total Outage Ends Support for Usual Performance', natch

It's mid-year report time, let's see how secure corporate networks are. Spoiler alert: Not at all

Pen test bods probe about two dozen orgs – all fail

VMware scales its virtual switches to tackle NFV, old school networkers

Software-defined networks are getting serious, at scale

VMware-on-AWS coming to Frankfurt, Sydney, Japan, with vMotion between regions too

Virtzilla's Amazonian cloud is also tooling up for managed services providers

Brits whinging less? About ISPs, networks and TV? It's gotta be a glitch in the Matrix

Happy now? For realsies?

Security bods liberate EITest malware slaves

Miscreants' command and control network traffic sent down sinkhole