Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3626 vSphere Data Protection (VDP) updates address multiple security issues 21 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: vSphere Data Protection Publisher: VMWare Operating System: VMware ESX Server Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Provide Misleading Information -- Remote with User Interaction Access Privileged Data -- Console/Physical Resolution: Patch/Upgrade CVE Names: CVE-2018-11077 CVE-2018-11076 CVE-2018-11067 CVE-2018-11066 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2018-0029.html - --------------------------BEGIN INCLUDED TEXT-------------------- vSphere Data Protection (VDP) updates address multiple security issues. VMware Security Advisory VMware Security Advisory Advisory ID: VMSA-2018-0029 VMware Security Advisory Severity: Critical VMware Security Advisory Synopsis: vSphere Data Protection (VDP) updates address multiple security issues. VMware Security Advisory Issue date: 2018-11-20 VMware Security Advisory Updated on: 2018-11-20 (Initial Advisory) VMware Security Advisory CVE numbers: CVE-2018-11066, CVE-2018-11067, CVE-2018-11076, CVE-2018-11077 1. Summary vSphere Data Protection (VDP) updates address multiple security issues. 2. Relevant Products o vSphere Data Protection (VDP). VDP is based on Dell EMC Avamar Virtual Edition. 3. Problem Description a. Remote code execution vulnerability. VDP contains a remote code execution vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11066 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Severity Replace with/ Apply Patch Mitigation/ Workaround VMware Product VDP Product Version 6.1.x Running on VA Severity Critical Replace with/ Apply Patch 6.1.10 Mitigation/ Workaround None VMware Product VDP Product Version 6.0.x Running on VA Severity Critical Replace with/ Apply Patch 6.0.9 Mitigation/ Workaround None b. Open redirection vulnerability. VDP contains an open redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11067 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Severity Replace with/ Apply Patch Mitigation/ Workaround VMware Product VDP Product Version 6.1.x Running on VA Severity Important Replace with/ Apply Patch 6.1.10 Mitigation/ Workaround None VMware Product VDP Product Version 6.0.x Running on VA Severity Important Replace with/ Apply Patch 6.0.9 Mitigation/ Workaround None c. Command injection vulnerability. The 'getlogs' troubleshooting utility in VDP contains an OS command injection vulnerability. A malicious admin user may potentially be able to execute arbitrary commands under root privilege. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11076 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Severity Replace with/ Apply Patch Mitigation/ Workaround VMware Product VDP Product Version 6.1.x Running on VA Severity Important Replace with/ Apply Patch 6.1.9 Mitigation/ Workaround None VMware Product VDP Product Version 6.0.x Running on VA Severity Important Replace with/ Apply Patch 6.0.9 Mitigation/ Workaround None d. Information exposure vulnerability. VDP contains an information exposure vulnerability. VDP Java management console's SSL/TLS private key may be leaked in the VDP Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11077 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Severity Replace with/ Apply Patch Mitigation/ Workaround VMware Product VDP Product Version 6.1.x Running on VA Severity Moderate Replace with/ Apply Patch 6.1.10 Mitigation/ Workaround None VMware Product VDP Product Version 6.0.x Running on VA Severity Moderate Replace with/ Apply Patch 6.0.9 Mitigation/ Workaround None 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vSphere Data Protection (VDP) 6.1.10 Downloads and Documentation: https://my.vmware.com/group/vmware/details-productId=491&downloadGroup=VDP6110 https://www.vmware.com/support/pubs/vdr_pubs.html vSphere Data Protection (VDP) 6.0.9 Downloads and Documentation: https://my.vmware.com/group/vmware/details-productId=491&downloadGroup=VDP60_9 https://www.vmware.com/support/pubs/vdr_pubs.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi-name=CVE-2018-11066 http://cve.mitre.org/cgi-bin/cvename.cgi-name=CVE-2018-11067 http://cve.mitre.org/cgi-bin/cvename.cgi-name=CVE-2018-11076 http://cve.mitre.org/cgi-bin/cvename.cgi-name=CVE-2018-11077 6. Change log 2018-11-20 VMSA-2018-0029 Initial security advisory in conjunction with the release of VMware vSphere Data Protection 6.1.10 on 2018-11-20. 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2018 VMware Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW/T+T2aOgq3Tt24GAQgX2hAAjBHOhpHfTkqFitkpk7hU3RiItqDJU0S/ 4qgtH9RioHx4jmxrf7f9q1mfYY43jgzHH7+vnR9QrCReKPgFMDuBs4VKiyGas5Qm jVMtXRfKM3a0Las+2tznmkSHLRJ6O20q2ffuWkP3XUmNNLmqFjW85PtEQiI090nA T0HnDP34jpWGjgC2OsM1OkwA/qFedCMWx2LUfuwVvOtSnVOFWuuMLjGJyvJ+sLSs vXC75wqzP2jRzqohcdT9rmj2Ym83VlAoBaWJp7WcLOtLy6OLhk8qE+jSJEJFelYA kmFNstS7Mq0TwTZ6vENL8xQ7L+ncbViFbD2igcmnIq1fALtAjteZMYIkMcH0ptc8 QBR9m5pfBeLoADf8AkJIgGwg+JIO7EyiHdfRAgwiV9QfwTqII/mrnrZntpDLkfxx vFNckhjLmEj75RKt9vE74jlwFK+z2AjCMI6lrkIHjHN1i1z31x/9KOCPYhb3PdV/ 1cCrob8NmUNpbB7VaupOWKIaHnfdg1sCpU/um4vw5O4lhxC4G3lgWuIlKH/Zag8Q hCVabg79wULdS5MFFOH11r+8z+dFqracJPcM9Wr2KyT0/BEJ8zoIltVonfaPsomg SpZU3sT9AFAK3yPrZdyAX0Zhboc88Q7W6jMh6qRP+N8E3ENULZmBmAv21OOmgk8l S986xTaUypg= =FCQH -----END PGP SIGNATURE-----