Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3524 VMSA-2019-0013: security updates for ESXi and vCenter 17 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware vSphere ESXi VMware vCenter Server Publisher: VMWare Operating System: Windows UNIX variants (UNIX, Linux, OSX) Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-5534 CVE-2019-5532 CVE-2019-5531 CVE-2017-16544 Reference: ESB-2019.1136 ESB-2018.2183.3 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2019-0013.html - --------------------------BEGIN INCLUDED TEXT-------------------- VMware Security Advisories +-----------------------------------------------------------------------------+ |Advisory|VMSA-2019-0013 | |ID | | |--------+--------------------------------------------------------------------| |Advisory|Important | |Severity| | |--------+--------------------------------------------------------------------| |CVSSv3 |4.2-7.7 | |Range | | |--------+--------------------------------------------------------------------| | |VMware ESXi and vCenter Server updates address command injection | |Synopsis|and information disclosure vulnerabilities. | | |(CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534) | |--------+--------------------------------------------------------------------| |Issue |2019-09-16 | |Date | | |--------+--------------------------------------------------------------------| |Updated |2019-09-16 (Initial Advisory) | |On | | |--------+--------------------------------------------------------------------| |CVE(s) |CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534 | +-----------------------------------------------------------------------------+ 1. Impacted Products * VMware vSphere ESXi (ESXi) * VMware vCenter Server (vCenter) 2. Introduction ESXi and vCenter updates address multiple vulnerabilities. * CVE-2017-16544: VMware ESXi command injection vulnerability * CVE-2019-5531: ESXi Host Client, vCenter vSphere Client and vCenter vSphere Web Client information disclosure vulnerability * CVE-2019-5532: VMware vCenter Server information disclosure vulnerability * CVE-2019-5534: VMware vCenter Server Information disclosure vulnerability in vAppConfig properties 3a. VMware ESXi 'busybox' command injection vulnerability- CVE-2017-16544 Description: ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7. Known Attack Vectors: An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file. Resolution: To remediate CVE-2017-16544 update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None. Additional Documentations: None. Acknowledgements: VMware would like to thank Zhouyuan Yang of Fortinet's FortiGuard Labs for notifying about this issue to us. Response Matrix: +--------------------------------------------------------------------------------------------------+ |Product|Version|Running|CVE Identifier|CVSSV3|Severity|Fixed Version |Workarounds|Additional| | | |On | | | | | |Documents | |-------+-------+-------+--------------+------+--------+--------------------+-----------+----------| |ESXi |6.7 |Any |CVE-2017-16544|6.7 |Moderate|ESXi670-201904101-SG|None |None | |-------+-------+-------+--------------+------+--------+--------------------+-----------+----------| |ESXi |6.5 |Any |CVE-2017-16544|6.7 |Moderate|ESXi650-201907101-SG|None |None | |-------+-------+-------+--------------+------+--------+--------------------+-----------+----------| |ESXi |6.0 |Any |CVE-2017-16544|6.7 |Moderate|ESXi600-201909101-SG|None |None | +--------------------------------------------------------------------------------------------------+ 3b. ESXi Host Client, vCenter vSphere Client and vCenter vSphere Web Client information disclosure vulnerability- CVE-2019-5531 Description: An information disclosure vulnerability in clients arising from insufficient session expiration. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.2. This issue affects: * ESXi VMware Host Client (6.7, 6.5, 6.0). * vCenter Server vSphere Client (HTML5) (6.7, 6.5). * vCenter Server vSphere Web Client (FLEX/Flash) (6.7, 6.5, 6.0). Known Attack Vectors: An attacker with physical access or an ability to mimic a websocket connection to a user's browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out. Resolution: To remediate CVE-2019-5531 update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None. Additional Documentations: None. Acknowledgements: VMware would like to thank Dejan Zelic for reporting this issue to us. Response Matrix: +-------------------------------------------------------------------------------------------------+ |Product|Version|Running|CVE |CVSSV3|Severity|Fixed Version |Workarounds|Additional| | | |On |Identifier | | | | |Documents | |-------+-------+-------+-------------+------+--------+--------------------+-----------+----------| |ESXi |6.7 |Any |CVE-2019-5531|4.2 |Moderate|ESXi670-201904101-SG|None |None | |-------+-------+-------+-------------+------+--------+--------------------+-----------+----------| |ESXi |6.5 |Any |CVE-2019-5531|4.2 |Moderate|ESXi650-201907101-SG|None |None | |-------+-------+-------+-------------+------+--------+--------------------+-----------+----------| |ESXi |6.0 |Any |CVE-2019-5531|4.2 |Moderate|ESXi600-201909101-SG|None |None | |-------+-------+-------+-------------+------+--------+--------------------+-----------+----------| |vCenter|6.7 |Any |CVE-2019-5531|4.2 |Moderate|6.7 U1b |None |None | |-------+-------+-------+-------------+------+--------+--------------------+-----------+----------| |vCenter|6.5 |Any |CVE-2019-5531|4.2 |Moderate|6.5 U2b |None |None | |-------+-------+-------+-------------+------+--------+--------------------+-----------+----------| |vCenter|6.0 |Any |CVE-2019-5531|4.2 |Moderate|6.0 U3j |None |None | +-------------------------------------------------------------------------------------------------+ 3c. VMware vCenter Server information disclosure vulnerability- CVE-2019-5532 Description: VMware vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7. Known Attack Vectors: A malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine). Resolution: To remediate CVE-2019-5532, update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: If the password of the deployment account (typically root) is changed on the virtual machine after deployment of the OVF then the credentials stored in the vCenter OVF-properties will no longer be valid and cannot be used to access the virtual machine. Additional Documentations: None. Acknowledgements: VMware would like to thank Ola Beyioku for reporting this issue to us. Response Matrix: +-------------------------------------------------------------------------------------+ |Product|Version|Running|CVE |CVSSV3|Severity |Fixed |Workarounds|Additional| | | |On |Identifier | | |Version| |Documents | |-------+-------+-------+-------------+------+---------+-------+-----------+----------| |vCenter|6.7 |Any |CVE-2019-5532|7.7 |Important|6.7 U3 |See above |None | |-------+-------+-------+-------------+------+---------+-------+-----------+----------| |vCenter|6.5 |Any |CVE-2019-5532|7.7 |Important|6.5 U3 |See above |None | |-------+-------+-------+-------------+------+---------+-------+-----------+----------| |vCenter|6.0 |Any |CVE-2019-5532|7.7 |Important|6.0 U3j|See above |None | +-------------------------------------------------------------------------------------+ 3d. Information disclosure vulnerability in vAppConfig properties - - CVE-2019-5534 Description: Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7. Known Attack Vectors: A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine). Resolution: To mitigate CVE-2019-5534 upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: The information stored in vAppConfig properties is captured at the time of deployment. If the password of the deployment account (typically root) is changed on the virtual machine after deployment of the OVF then the credentials stored in the vAppConfig properties will no longer be valid and cannot be used to access the virtual machine. Additional Documentations: None. Acknowledgements: VMware would like to thank Rich Browne of F5 Networks for reporting this issue to us. Response Matrix: +-------------------------------------------------------------------------------------+ |Product|Version|Running|CVE |CVSSV3|Severity |Fixed |Workarounds|Additional| | | |On |Identifier | | |Version| |Documents | |-------+-------+-------+-------------+------+---------+-------+-----------+----------| |vCenter|6.7 |Any |CVE-2019-5534|7.7 |Important|6.7 U3 |See above |None | |-------+-------+-------+-------------+------+---------+-------+-----------+----------| |vCenter|6.5 |Any |CVE-2019-5534|7.7 |Important|6.5 U3 |See above |None | |-------+-------+-------+-------------+------+---------+-------+-----------+----------| |vCenter|6.0 |Any |CVE-2019-5534|7.7 |Important|6.0 U3j|See above |None | +-------------------------------------------------------------------------------------+ 4. References Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5531 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5532 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5534 Fixed Version(s) and Release Notes: ESXi 6.7 U3 Downloads and Documentation: https://my.vmware.com/web/vmware/details?productId=742&downloadGroup=ESXI67U3 https://docs.vmware.com/en/VMware-vSphere/6.7/rn/ vsphere-esxi-67u3-release-notes.html ESXi 6.7 U2 Downloads and Documentation: https://my.vmware.com/group/vmware/details?productId=742&downloadGroup=ESXI67U2 https://docs.vmware.com/en/VMware-vSphere/6.7/rn/ vsphere-esxi-67u2-release-notes.html ESXi 6.7 U1 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=ESXI67U1&productId=742 https://docs.vmware.com/en/VMware-vSphere/6.7/rn/ vsphere-esxi-671-release-notes.html ESXi 6.5 U3 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=ESXI65U3&productId=614 https://docs.vmware.com/en/VMware-vSphere/6.5/rn/ vsphere-esxi-65u3-release-notes.html ESXi 6.5, Patch Release ESXi650-201806001 Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://kb.vmware.com/s/article/55912 ESXi 6.0, Patch Release ESXi600-201807001 Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://kb.vmware.com/s/article/53627 ESXi 6.0, Patch Release ESXi600-201909001 Downloads and Documentation: https://my.vmware.com/group/vmware/patch https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201909001.html vCenter 6.7 U1b Downloads and Documentation: https://my.vmware.com/group/vmware/details?downloadGroup=VC67U1B&productId=742 https://docs.vmware.com/en/VMware-vSphere/6.7/rn/ vsphere-vcenter-server-67u1b-release-notes.html vCenter 6.5 U2b Downloads and Documentation: https://my.vmware.com/group/vmware/details?downloadGroup=VC65U2B&productId=614& rPId=24466 https://docs.vmware.com/en/VMware-vSphere/6.5/rn/ vsphere-vcenter-server-65u2b-release-notes.html vCenter 6.5 U3 Downloads and Documentation: https://my.vmware.com/web/vmware/details?productId=614&downloadGroup=VC65U3 https://docs.vmware.com/en/VMware-vSphere/6.5/rn/ vsphere-vcenter-server-65u3-release-notes.html vCenter 6.0 U3j Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3J&productId=491 https://docs.vmware.com/en/VMware-vSphere/6.0/rn/ vsphere-vcenter-server-60u3j-release-notes.html 5. Change log 2019-09-16: VMSA-2019-0013 Initial security advisory detailing remediation information for the VMware vSphere ESXi and VMware vCenter Server 6.7, 6.5 and 6.0 release lines. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2019 VMware Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXYBkyGaOgq3Tt24GAQjr9A/9GstDbXO573CQ2T4OOrtibLZu0Iuq80zF 3D303BFs26SPr4RK2Idq5cywynZiZCRP2rtWbd1mZdVuNbvBQwDp66iQOQZHy8E6 VrjeJosveHstFhLZxMY4X3r9UrH/s1HRlaTwDzmgPg3b2KQHBLgi4xwxskQii33x KRPnwexkFa0T8WRM/BUk+H3JvgZFaIVW8bm1F6yCG2FJ+tWyRTHEmguOVoug4P0Z akRToaAtyeyFpn9CawVBPVivcOnlMpzC2SiriMKuqud2bhyIjkuc3iimLOPsAxBo zn2D7YLdS1Ns/mKZ4bahs9lBcfkny9+XSY8DR8rX0FCTj9SGS3yUXnKXNBwENxgu EhMow9VmUPuk3iLSzkXAHBgOrnWovCA+WLwHiDNDZfXVxWhAaWJjK1HbL8qbkTcx INmhzFMr+b0fGCzi2FOcKdrEtkTnfr91mmSh1bmRKPALaEqqfDXrC1yxoSXu6gRN JLueWi5SR4how5AaTQ/72QMTIpOZbbDjEDYiKBv3kQno2SKUDCqtrrEOcSaFyzOm 85nRHoB35mLk9XMzySlDna0uzGYrmqQsIr94owJjI7+0N2UnKu0bBybodZnOKGKN nH+PHLVyj80UMY1Nrui/5BEYSlsjCHnMEQtGIdsxd0jPMZzSnY+OtiQVHvdYfZ5z IMCPwou1jhY= =IjqU -----END PGP SIGNATURE-----