Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3524
VMSA-2019-0013: security updates for ESXi and vCenter
17 September 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware vSphere ESXi
VMware vCenter Server
Publisher: VMWare
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Virtualisation
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-5534 CVE-2019-5532 CVE-2019-5531
CVE-2017-16544
Reference: ESB-2019.1136
ESB-2018.2183.3
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2019-0013.html
- --------------------------BEGIN INCLUDED TEXT--------------------
VMware Security Advisories
+-----------------------------------------------------------------------------+
|Advisory|VMSA-2019-0013 |
|ID | |
|--------+--------------------------------------------------------------------|
|Advisory|Important |
|Severity| |
|--------+--------------------------------------------------------------------|
|CVSSv3 |4.2-7.7 |
|Range | |
|--------+--------------------------------------------------------------------|
| |VMware ESXi and vCenter Server updates address command injection |
|Synopsis|and information disclosure vulnerabilities. |
| |(CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534) |
|--------+--------------------------------------------------------------------|
|Issue |2019-09-16 |
|Date | |
|--------+--------------------------------------------------------------------|
|Updated |2019-09-16 (Initial Advisory) |
|On | |
|--------+--------------------------------------------------------------------|
|CVE(s) |CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534 |
+-----------------------------------------------------------------------------+
1. Impacted Products
* VMware vSphere ESXi (ESXi)
* VMware vCenter Server (vCenter)
2. Introduction
ESXi and vCenter updates address multiple vulnerabilities.
* CVE-2017-16544: VMware ESXi command injection vulnerability
* CVE-2019-5531: ESXi Host Client, vCenter vSphere Client and vCenter vSphere
Web Client information disclosure vulnerability
* CVE-2019-5532: VMware vCenter Server information disclosure vulnerability
* CVE-2019-5534: VMware vCenter Server Information disclosure vulnerability
in vAppConfig properties
3a. VMware ESXi 'busybox' command injection vulnerability- CVE-2017-16544
Description:
ESXi contains a command injection vulnerability due to the use of vulnerable
version of busybox that does not sanitize filenames which may result into
executing any escape sequence in the shell. VMware has evaluated the severity
of this issue to be in the Moderate severity range with a maximum CVSSv3 base
score of 6.7.
Known Attack Vectors:
An attacker may exploit this issue by tricking an ESXi Admin into executing
shell commands by providing a malicious file.
Resolution:
To remediate CVE-2017-16544 update/upgrade to the versions listed in the 'Fixed
Version' column of the 'Resolution Matrix' found below.
Workarounds:
None.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Zhouyuan Yang of Fortinet's FortiGuard Labs for
notifying about this issue to us.
Response Matrix:
+--------------------------------------------------------------------------------------------------+
|Product|Version|Running|CVE Identifier|CVSSV3|Severity|Fixed Version |Workarounds|Additional|
| | |On | | | | | |Documents |
|-------+-------+-------+--------------+------+--------+--------------------+-----------+----------|
|ESXi |6.7 |Any |CVE-2017-16544|6.7 |Moderate|ESXi670-201904101-SG|None |None |
|-------+-------+-------+--------------+------+--------+--------------------+-----------+----------|
|ESXi |6.5 |Any |CVE-2017-16544|6.7 |Moderate|ESXi650-201907101-SG|None |None |
|-------+-------+-------+--------------+------+--------+--------------------+-----------+----------|
|ESXi |6.0 |Any |CVE-2017-16544|6.7 |Moderate|ESXi600-201909101-SG|None |None |
+--------------------------------------------------------------------------------------------------+
3b. ESXi Host Client, vCenter vSphere Client and vCenter vSphere Web Client
information disclosure vulnerability- CVE-2019-5531
Description:
An information disclosure vulnerability in clients arising from insufficient
session expiration. VMware has evaluated the severity of this issue to be in
the Moderate severity range with a maximum CVSSv3 base score of 4.2.
This issue affects:
* ESXi VMware Host Client (6.7, 6.5, 6.0).
* vCenter Server vSphere Client (HTML5) (6.7, 6.5).
* vCenter Server vSphere Web Client (FLEX/Flash) (6.7, 6.5, 6.0).
Known Attack Vectors:
An attacker with physical access or an ability to mimic a websocket connection
to a user's browser may be able to obtain control of a VM Console after the
user has logged out or their session has timed out.
Resolution:
To remediate CVE-2019-5531 update/upgrade to the versions listed in the 'Fixed
Version' column of the 'Resolution Matrix' found below.
Workarounds:
None.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Dejan Zelic for reporting this issue to us.
Response Matrix:
+-------------------------------------------------------------------------------------------------+
|Product|Version|Running|CVE |CVSSV3|Severity|Fixed Version |Workarounds|Additional|
| | |On |Identifier | | | | |Documents |
|-------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|ESXi |6.7 |Any |CVE-2019-5531|4.2 |Moderate|ESXi670-201904101-SG|None |None |
|-------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|ESXi |6.5 |Any |CVE-2019-5531|4.2 |Moderate|ESXi650-201907101-SG|None |None |
|-------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|ESXi |6.0 |Any |CVE-2019-5531|4.2 |Moderate|ESXi600-201909101-SG|None |None |
|-------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|vCenter|6.7 |Any |CVE-2019-5531|4.2 |Moderate|6.7 U1b |None |None |
|-------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|vCenter|6.5 |Any |CVE-2019-5531|4.2 |Moderate|6.5 U2b |None |None |
|-------+-------+-------+-------------+------+--------+--------------------+-----------+----------|
|vCenter|6.0 |Any |CVE-2019-5531|4.2 |Moderate|6.0 U3j |None |None |
+-------------------------------------------------------------------------------------------------+
3c. VMware vCenter Server information disclosure vulnerability- CVE-2019-5532
Description:
VMware vCenter Server contains an information disclosure vulnerability due to
the logging of credentials in plain-text for virtual machines deployed through
OVF. VMware has evaluated the severity of this issue to be in the Important
severity range with a maximum CVSSv3 base score of 7.7.
Known Attack Vectors:
A malicious user with access to the log files containing vCenter OVF-properties
of a virtual machine deployed from an OVF may be able to view the credentials
used to deploy the OVF (typically the root account of the virtual machine).
Resolution:
To remediate CVE-2019-5532, update/upgrade to the versions listed in the 'Fixed
Version' column of the 'Resolution Matrix' found below.
Workarounds:
If the password of the deployment account (typically root) is changed on the
virtual machine after deployment of the OVF then the credentials stored in
the vCenter OVF-properties will no longer be valid and cannot be used to access
the virtual machine.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Ola Beyioku for reporting this issue to us.
Response Matrix:
+-------------------------------------------------------------------------------------+
|Product|Version|Running|CVE |CVSSV3|Severity |Fixed |Workarounds|Additional|
| | |On |Identifier | | |Version| |Documents |
|-------+-------+-------+-------------+------+---------+-------+-----------+----------|
|vCenter|6.7 |Any |CVE-2019-5532|7.7 |Important|6.7 U3 |See above |None |
|-------+-------+-------+-------------+------+---------+-------+-----------+----------|
|vCenter|6.5 |Any |CVE-2019-5532|7.7 |Important|6.5 U3 |See above |None |
|-------+-------+-------+-------------+------+---------+-------+-----------+----------|
|vCenter|6.0 |Any |CVE-2019-5532|7.7 |Important|6.0 U3j|See above |None |
+-------------------------------------------------------------------------------------+
3d. Information disclosure vulnerability in vAppConfig properties
- - CVE-2019-5534
Description:
Virtual Machines deployed from an OVF could expose login information via the
virtual machine's vAppConfig properties. VMware has evaluated the severity of
this issue to be in the Important severity range with a maximum CVSSv3 base
score of 7.7.
Known Attack Vectors:
A malicious actor with access to query the vAppConfig properties of a virtual
machine deployed from an OVF may be able to view the credentials used to deploy
the OVF (typically the root account of the virtual machine).
Resolution:
To mitigate CVE-2019-5534 upgrade to the versions listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.
Workarounds:
The information stored in vAppConfig properties is captured at the time of
deployment. If the password of the deployment account (typically root) is
changed on the virtual machine after deployment of the OVF then the credentials
stored in the vAppConfig properties will no longer be valid and cannot be used
to access the virtual machine.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Rich Browne of F5 Networks for reporting this issue
to us.
Response Matrix:
+-------------------------------------------------------------------------------------+
|Product|Version|Running|CVE |CVSSV3|Severity |Fixed |Workarounds|Additional|
| | |On |Identifier | | |Version| |Documents |
|-------+-------+-------+-------------+------+---------+-------+-----------+----------|
|vCenter|6.7 |Any |CVE-2019-5534|7.7 |Important|6.7 U3 |See above |None |
|-------+-------+-------+-------------+------+---------+-------+-----------+----------|
|vCenter|6.5 |Any |CVE-2019-5534|7.7 |Important|6.5 U3 |See above |None |
|-------+-------+-------+-------------+------+---------+-------+-----------+----------|
|vCenter|6.0 |Any |CVE-2019-5534|7.7 |Important|6.0 U3j|See above |None |
+-------------------------------------------------------------------------------------+
4. References
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5532
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5534
Fixed Version(s) and Release Notes:
ESXi 6.7 U3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=742&downloadGroup=ESXI67U3
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/
vsphere-esxi-67u3-release-notes.html
ESXi 6.7 U2
Downloads and Documentation:
https://my.vmware.com/group/vmware/details?productId=742&downloadGroup=ESXI67U2
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/
vsphere-esxi-67u2-release-notes.html
ESXi 6.7 U1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=ESXI67U1&productId=742
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/
vsphere-esxi-671-release-notes.html
ESXi 6.5 U3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=ESXI65U3&productId=614
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/
vsphere-esxi-65u3-release-notes.html
ESXi 6.5, Patch Release ESXi650-201806001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://kb.vmware.com/s/article/55912
ESXi 6.0, Patch Release ESXi600-201807001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://kb.vmware.com/s/article/53627
ESXi 6.0, Patch Release ESXi600-201909001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201909001.html
vCenter 6.7 U1b
Downloads and Documentation:
https://my.vmware.com/group/vmware/details?downloadGroup=VC67U1B&productId=742
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/
vsphere-vcenter-server-67u1b-release-notes.html
vCenter 6.5 U2b
Downloads and Documentation:
https://my.vmware.com/group/vmware/details?downloadGroup=VC65U2B&productId=614&
rPId=24466
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/
vsphere-vcenter-server-65u2b-release-notes.html
vCenter 6.5 U3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=614&downloadGroup=VC65U3
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/
vsphere-vcenter-server-65u3-release-notes.html
vCenter 6.0 U3j
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3J&productId=491
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/
vsphere-vcenter-server-60u3j-release-notes.html
5. Change log
2019-09-16: VMSA-2019-0013 Initial security advisory detailing remediation
information for the VMware vSphere ESXi and VMware vCenter Server 6.7, 6.5 and
6.0 release lines.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2019 VMware Inc. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXYBkyGaOgq3Tt24GAQjr9A/9GstDbXO573CQ2T4OOrtibLZu0Iuq80zF
3D303BFs26SPr4RK2Idq5cywynZiZCRP2rtWbd1mZdVuNbvBQwDp66iQOQZHy8E6
VrjeJosveHstFhLZxMY4X3r9UrH/s1HRlaTwDzmgPg3b2KQHBLgi4xwxskQii33x
KRPnwexkFa0T8WRM/BUk+H3JvgZFaIVW8bm1F6yCG2FJ+tWyRTHEmguOVoug4P0Z
akRToaAtyeyFpn9CawVBPVivcOnlMpzC2SiriMKuqud2bhyIjkuc3iimLOPsAxBo
zn2D7YLdS1Ns/mKZ4bahs9lBcfkny9+XSY8DR8rX0FCTj9SGS3yUXnKXNBwENxgu
EhMow9VmUPuk3iLSzkXAHBgOrnWovCA+WLwHiDNDZfXVxWhAaWJjK1HbL8qbkTcx
INmhzFMr+b0fGCzi2FOcKdrEtkTnfr91mmSh1bmRKPALaEqqfDXrC1yxoSXu6gRN
JLueWi5SR4how5AaTQ/72QMTIpOZbbDjEDYiKBv3kQno2SKUDCqtrrEOcSaFyzOm
85nRHoB35mLk9XMzySlDna0uzGYrmqQsIr94owJjI7+0N2UnKu0bBybodZnOKGKN
nH+PHLVyj80UMY1Nrui/5BEYSlsjCHnMEQtGIdsxd0jPMZzSnY+OtiQVHvdYfZ5z
IMCPwou1jhY=
=IjqU
-----END PGP SIGNATURE-----