Vulnerabilities in VMware vCenter and ESXi could allow remote code execution – VMSA-2015-0007

ITS Advisory Number: 
2015-119
Date(s) Issued: 
Friday, October 2, 2015
Subject: 
Vulnerabilities in VMware vCenter and ESXi could allow remote code execution – VMSA-2015-0007
Overview: 

Vulnerabilities have been discovered within VMware vCenter and ESXi that allows remote code execution. VMware vCenter Server provides a centralized platform for managing your VMware vSphere environments so you can automate and deliver a virtual infrastructure. VMware ESXi Server is computer virtualization software and can be used to facilitate centralized management for enterprise desktops and data center applications. Successful exploitation could result in system level access to virtual machine host servers, and result in a full compromise of the environment. An attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • VMware vCenter Server 6.0 Any  
  • VMware vCenter Server 5.5 Any 
  • VMware vCenter Server 5.1 Any 
  • VMware vCenter Server 5.0 Any
  • VMware ESXi 5.5 without patch ESXi550-201509101
  • VMware ESXi 5.1 without patch ESXi510-201510101
  • VMware ESXi 5.0 without patch ESXi500-201510101
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Medium
Description: 

Vulnerabilities have been discovered within VMware vCenter and ESXi that allows remote code execution. The vulnerabilities as follows:

VMware vCenter

  • An improperly configured Java Management Extensions (JMX) service that can be manipulated remotely without authentication. The JMX service allows users to call the 'javax.management.loading.MLet' function, which permits the loading of an MBean [managed Java bean] from a remote URL. [CVE-2015-2342]
  • Does not properly sanitize long heartbeat messages. Exploitation of this issue may allow an unauthenticated attacker to create a denial-of-service condition in the vpxd service. [CVE-2015-1047]

*NOTE: VMware vCenter Server 6.0 is NOT AFFECTED by CVE-2015-1047  

VMware ESXi

  • VMware ESXi contains a double free flaw in OpenSLP's SLPDProcessMessage() function. [CVE-2015-5177]

There is a known issue affecting VMware ESXi 5.5 Update 3. This has a nasty bug that crashes guest virtual machines if you delete a snapshot. Currently, there is no resolution. To work around this issue please visit: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2133118

Successful exploitation could result in system level access to virtual machine host servers, and result in a full compromise of the environment. An attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • Apply appropriate patches provided by VMware to vulnerable systems immediately after appropriate testing.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • If no updates and patches are available, monitor or contact your vendors for availability. 
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.