-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3626
  vSphere Data Protection (VDP) updates address multiple security issues
                             21 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           vSphere Data Protection
Publisher:         VMWare
Operating System:  VMware ESX Server
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Root Compromise                 -- Existing Account            
                   Provide Misleading Information  -- Remote with User Interaction
                   Access Privileged Data          -- Console/Physical            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-11077 CVE-2018-11076 CVE-2018-11067
                   CVE-2018-11066  

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2018-0029.html

- --------------------------BEGIN INCLUDED TEXT--------------------

vSphere Data Protection (VDP) updates address multiple security issues.

VMware Security Advisory

VMware Security Advisory Advisory ID:  VMSA-2018-0029
VMware Security Advisory Severity:     Critical
VMware Security Advisory Synopsis:     vSphere Data Protection (VDP) updates 
                                       address multiple security issues.
VMware Security Advisory Issue date:   2018-11-20
VMware Security Advisory Updated on:   2018-11-20 (Initial Advisory)
VMware Security Advisory CVE numbers:  CVE-2018-11066, CVE-2018-11067, 
                                       CVE-2018-11076, CVE-2018-11077

 

1. Summary

vSphere Data Protection (VDP) updates address multiple security issues.

2. Relevant Products

  o vSphere Data Protection (VDP). VDP is based on Dell EMC Avamar Virtual
    Edition.

3. Problem Description

a. Remote code execution vulnerability.


VDP contains a remote code execution vulnerability. A remote unauthenticated
attacker could potentially exploit this vulnerability to execute arbitrary
commands on the server.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2018-11066 to this issue.  

 

Column 5 of the following table lists the action required to remediate the
vulnerability in each release, if a solution is available.

VMware Product

Product Version

Running on

Severity

Replace with/ Apply Patch

Mitigation/ Workaround

VMware Product VDP
Product Version 6.1.x
Running on VA
Severity Critical
Replace with/ Apply Patch 6.1.10
Mitigation/ Workaround None
VMware Product VDP
Product Version 6.0.x
Running on VA
Severity Critical
Replace with/ Apply Patch 6.0.9
Mitigation/ Workaround None

 

b. Open redirection vulnerability.


VDP contains an open redirection vulnerability. A remote unauthenticated
attacker could potentially exploit this vulnerability to redirect application
users to arbitrary web URLs by tricking the victim users to click on
maliciously crafted links. The vulnerability could be used to conduct phishing
attacks that cause users to unknowingly visit malicious sites.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2018-11067 to this issue.  

 

Column 5 of the following table lists the action required to remediate the
vulnerability in each release, if a solution is available.

VMware Product

Product Version

Running on

Severity

Replace with/ Apply Patch

Mitigation/ Workaround

VMware Product VDP
Product Version 6.1.x
Running on VA
Severity Important
Replace with/ Apply Patch 6.1.10
Mitigation/ Workaround None
VMware Product VDP
Product Version 6.0.x
Running on VA
Severity Important
Replace with/ Apply Patch 6.0.9
Mitigation/ Workaround None

 

c. Command injection vulnerability.


The 'getlogs' troubleshooting utility in VDP contains an OS command injection
vulnerability. A malicious admin user may potentially be able to execute
arbitrary commands under root privilege.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2018-11076 to this issue.  

 

Column 5 of the following table lists the action required to remediate the
vulnerability in each release, if a solution is available.

VMware Product

Product Version

Running on

Severity

Replace with/ Apply Patch

Mitigation/ Workaround

VMware Product VDP
Product Version 6.1.x
Running on VA
Severity Important
Replace with/ Apply Patch 6.1.9
Mitigation/ Workaround None
VMware Product VDP
Product Version 6.0.x
Running on VA
Severity Important
Replace with/ Apply Patch 6.0.9
Mitigation/ Workaround None

 

d. Information exposure vulnerability.


VDP contains an information exposure vulnerability. VDP Java management
console's SSL/TLS private key may be leaked in the VDP Java management client
package. The private key could potentially be used by an unauthenticated
attacker on the same data-link layer to initiate a MITM attack on management
console users.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2018-11077 to this issue.  

 

Column 5 of the following table lists the action required to remediate the
vulnerability in each release, if a solution is available.

VMware Product

Product Version

Running on

Severity

Replace with/ Apply Patch

Mitigation/ Workaround

VMware Product VDP
Product Version 6.1.x
Running on VA
Severity Moderate
Replace with/ Apply Patch 6.1.10
Mitigation/ Workaround None
VMware Product VDP
Product Version 6.0.x
Running on VA
Severity Moderate
Replace with/ Apply Patch 6.0.9
Mitigation/ Workaround None

 

 

4. Solution

 

Please review the patch/release notes for your product and version and verify
the checksum of your downloaded file.

 

vSphere Data Protection (VDP) 6.1.10

Downloads and Documentation:

https://my.vmware.com/group/vmware/details-productId=491&downloadGroup=VDP6110

https://www.vmware.com/support/pubs/vdr_pubs.html

   

vSphere Data Protection (VDP) 6.0.9

Downloads and Documentation:  

https://my.vmware.com/group/vmware/details-productId=491&downloadGroup=VDP60_9

https://www.vmware.com/support/pubs/vdr_pubs.html      

 

5. References
 

http://cve.mitre.org/cgi-bin/cvename.cgi-name=CVE-2018-11066

http://cve.mitre.org/cgi-bin/cvename.cgi-name=CVE-2018-11067

http://cve.mitre.org/cgi-bin/cvename.cgi-name=CVE-2018-11076
http://cve.mitre.org/cgi-bin/cvename.cgi-name=CVE-2018-11077

 

6. Change log

 

2018-11-20 VMSA-2018-0029

Initial security advisory in conjunction with the release of VMware vSphere
Data Protection 6.1.10 on 2018-11-20.

 

7. Contact

 

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

http://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2018 VMware Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW/T+T2aOgq3Tt24GAQgX2hAAjBHOhpHfTkqFitkpk7hU3RiItqDJU0S/
4qgtH9RioHx4jmxrf7f9q1mfYY43jgzHH7+vnR9QrCReKPgFMDuBs4VKiyGas5Qm
jVMtXRfKM3a0Las+2tznmkSHLRJ6O20q2ffuWkP3XUmNNLmqFjW85PtEQiI090nA
T0HnDP34jpWGjgC2OsM1OkwA/qFedCMWx2LUfuwVvOtSnVOFWuuMLjGJyvJ+sLSs
vXC75wqzP2jRzqohcdT9rmj2Ym83VlAoBaWJp7WcLOtLy6OLhk8qE+jSJEJFelYA
kmFNstS7Mq0TwTZ6vENL8xQ7L+ncbViFbD2igcmnIq1fALtAjteZMYIkMcH0ptc8
QBR9m5pfBeLoADf8AkJIgGwg+JIO7EyiHdfRAgwiV9QfwTqII/mrnrZntpDLkfxx
vFNckhjLmEj75RKt9vE74jlwFK+z2AjCMI6lrkIHjHN1i1z31x/9KOCPYhb3PdV/
1cCrob8NmUNpbB7VaupOWKIaHnfdg1sCpU/um4vw5O4lhxC4G3lgWuIlKH/Zag8Q
hCVabg79wULdS5MFFOH11r+8z+dFqracJPcM9Wr2KyT0/BEJ8zoIltVonfaPsomg
SpZU3sT9AFAK3yPrZdyAX0Zhboc88Q7W6jMh6qRP+N8E3ENULZmBmAv21OOmgk8l
S986xTaUypg=
=FCQH
-----END PGP SIGNATURE-----