Patch NOW: VMware vCenter, ESXi can be pwned via your network

Remote-code execution danger on VM hosts

By Neil McAllister in San Francisco

Posted in Data Centre, 1st October 2015 21:01 GMT

VMware is urging users of its vCenter Server and ESXi software to install its latest patches to plug vulnerabilities that can allow remote-code execution and denial of service.

The vCenter flaw was first spotted by Doug McLeod of Edinburgh-based security consultancy 7 Elements toward the beginning of the year, and the researchers have been working with VMware to come up with a fix ahead of Thursday's public disclosure.

The vulnerability, which affects vCenter Server versions 5.0 through 6.0 on all supported platforms, involves an improperly configured Java Management Extensions (JMX) service that can be manipulated remotely without authentication.

"The JMX service allows users to call the 'javax.management.loading.MLet' function, which permits the loading of an MBean [managed Java bean] from a remote URL," 7 Elements explained in a security notice. "An attacker can set up their remote Web Service to host an MLet (text file) that points to a malicious JAR file."

7 Elements has published proof-of-concept code that takes advantage the bug and says there are already at least two Metasploit modules and a standalone exploit for it.

A second bug in vCenter – this one spotted by researchers at Google – can allow an attacker to create a denial-of-service condition by sending the server a maliciously crafted message.

Along with the vCenter fixes, VMware has also identified and patched a vulnerability in its ESXi hypervisor software involving the OpenSLP service location protocol service. An attacker who exploits a memory management error in the software can potentially execute code on the ESXi host remotely.

This second flaw, which was spotted by researcher Qinghao Tang of Chinese security firm Qihoo 360, affects ESXi versions 5.0, 5.1, and 5.5. Version 6.0 is not affected.

Patches for all of the abovementioned bugs are available. Information on which patches are appropriate for which versions of ESXi and vCenter is available from VMware's security advisory, found here.

However, do watch out for patching to ESXi 5.5 Update 3 – this has a nasty bug that crashes guest virtual machines if you delete a snapshot. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

It's ESXi time for critical VMware patches

Three to do, pronto, unless you like guest-host escape mirth

Oracle corrals and patches Struts 2 vulnerabilities

Big Red issues out-of-band patch for Apache and a few other urgent issues

Cisco to release patches for Meltdown, Spectre CPU vulns, just in case

Switchzilla is investigating a whole bunch of products

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

VMware sticks finger in Meltdown/Spectre dike for virtual appliances

Proper patches under way, but for now - to your command lines, vAdmins!

Oracle says SPARCv9 has Spectre CPU bug, patches coming soon

Big Red finally delivers patches for its x86 boxes – and 230-plus other problems

And now for a lazy Fri…d'oh! Two VMware patches just landed!?

Arbitrary code execution and XSS messes may need to be done before the weekend

SAP pushes 25 patches and two patch patches

HANA User Self Service isn't meant to give crims self-service, but it can. And you can plug it

Oracle still silent on Meltdown, but lists patches for x86 servers among 233 new fixes

Sun ZFS Storage Appliance users: brace for super-critical fix

IBM melts down fixing Meltdown as processes and patches stutter

RHEL servers croaking, reporting in Excel, customer docs in signoff limbo