VMware Patches Man-in-the-Middle and Web Session Hijack Vulnerability

April 15, 2016 Off By David

By David Marshall

ATTN: VMware administrators. Do you have plans this afternoon? What about this weekend?

"Patch now!" is the word coming down from the VMware mothership after the company revealed a new security flaw (VMSA-2016-0004) this week in the VMware Client Integration Plug-in that if exploited by an attacker could lead to a man-in-the-middle attack.

This announcement comes only a month after VMware announced a previous critical vulnerability, a cross-site scripting issue in vRealize for Linux.

According to this latest advisory, the problem existed in VMware’s Client Integration plug-in, a collection of tools found in a handful of other products shipped by the virtualization giant, including some versions of its vCenter Server, vCloud Director and vRealize Automation Identity Appliance. The plug-in helps users access a virtual machine’s console and is used in tandem with vSphere, VMware’s web client.

The issue is that the plug-in fails to handle session content in a safe way, something that could have allowed an attacker to carry out a Man-in-the-Middle attack or a Web session hijacking in case the user of the vSphere Web Client visits a malicious Web site.

In order to remediate the issue, both the server side (i.e. vCenter Server, vCloud Director, and vRealize Automation Identity Appliance) AND the client side (i.e. CIP of the vSphere Web Client) would need to be updated.

Not all versions of the software are vulnerable. So far, VMware has only identified: vCenter Server 6.0 (any 6.0 version prior to 6.0 U2); vCenter Server 5.5 U3a, U3b, U3c; vCloud Director 5.5.5; and vRealize Automation Identity Appliance 6.2.4.

Sounds like the recently announced HTML5 Web Client couldn’t come soon enough.

About the Author

David Marshall is an industry recognized virtualization and cloud computing expert, a seven time recipient of the VMware vExpert distinction, and has been heavily involved in the industry for the past 16 years. To help solve industry challenges, he co-founded and helped start several successful virtualization software companies such as ProTier, Surgient and Hyper9 and also spent a few years transforming desktop virtualization while at Virtual Bridges.

David is also a co-author of two very popular server virtualization books: "Advanced Server Virtualization: VMware and Microsoft Platforms in the Virtual Data Center" and "VMware ESX Essentials in the Virtual Data Center." He was also the Technical Editor on Wiley’s "Virtualization for Dummies" and "VMware VI3 for Dummies" books. David also authored countless articles for a number of well known technical magazines, including: InfoWorld, Virtual-Strategy and TechTarget. And in 2004, he founded the oldest independent virtualization and cloud computing news site, VMblog.com, which he still operates today.

Follow David Marshall

Twitter: @vmblog
LinkedIn: https://www.linkedin.com/in/davidmarshall
Blog: http://vmblog.com

CategoryNews

Rackspace Becomes AWS DevOps Competency Partner

Cloud Computing: Economist Group picks Rackspace for mission-critical needs