Vmware Vsphere Data Protection (VDP) Vulnerability

Imechapishwa: Feb 22, 2018 06:52

Advisory No:

Source: VMware

Software Affected:

Overview

VSphere Data Protection (VDP) contains multiple authentication bypass, arbitrary file upload and path traversal vulnerabilities.

Description

Date of First Release: 10-01-2018 Source: VMware Product affected: vSphere Data Protection (VDP) running on the virtual machines Version 6.1.x, 6.0.x and 5.x  Overview: VSphere Data Protection (VDP) contains multiple authentication bypass, arbitrary file upload and path traversal vulnerabilities. Description: VMware has release security advisory to address three critical vulnerabilities in vSphere Data Protection (VDP). The vulnerabilities contains multiple authentication bypass, arbitrary file upload and path traversal and it affects VDP version 5.x, 6.0.x and 6.1.x. The authentication bypass vulnerability can allow an unauthenticated malicious user to remotely bypass authentication and gain root access to the affected system,  arbitrary file upload vulnerability can allow a malicious user with access to a low-privileged account to upload malicious files to any location on the server file system and the path traversal vulnerability can allow a malicious user with low privileges to access arbitrary files on the server in the context of the vulnerable application. Impact: The exploitation of the aforementioned vulnerabilities could allow a malicious user to take control of the affected system.  Solution: User and administrator are advised to review released notes and install recommended patches:

  • VDP version 6.1.x users should replace with or apply patch VDP version 6.1.6;
  • VDP version 6.0.x users should replace with or apply patch VDP version 6.0.7;
  • VDP version 5.x users should replace with or apply patch VDP version 6.0.7.
References
  1. https://www.vmware.com/security/advisories/VMSA-2018-0001.html
  2. http://www.securityweek.com/vmware-patches-critical-flaws-vsphere-data-protection http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15548
  3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15549
  4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15550

Impact

The exploitation of the aforementioned vulnerabilities could allow a malicious user to take control of the affected system.

Solution

User and administrator are advised to review released notes and install recommended patches: VDP version 6.1.x users should replace with or apply patch VDP version 6.1.6; VDP version 6.0.x users should replace with or apply patch VDP version 6.0.7; VDP version 5.x users should replace with or apply patch VDP version 6.0.7.

References

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio