Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3958 VMSA-2019-0018 VMware vCenter Server Appliance updates address sensitive information disclosure vulnerability in backup and restore functions (CVE-2019-5537, CVE-2019-5538) 25 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware vCenter Server Appliance Publisher: VMWare Operating System: Virtualisation Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-5538 CVE-2019-5537 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2019-0018.html - --------------------------BEGIN INCLUDED TEXT-------------------- VMware Security Advisories +---------+-------------------------------------------------------------------+ |Advisory |VMSA-2019-0018 | |ID | | +---------+-------------------------------------------------------------------+ |Advisory |Moderate | |Severity | | +---------+-------------------------------------------------------------------+ |CVSSv3 |6.8 | |Range | | +---------+-------------------------------------------------------------------+ | |VMware vCenter Server Appliance updates address sensitive | |Synopsis |information disclosure vulnerability in backup and restore | | |functions (CVE-2019-5537, CVE-2019-5538) | +---------+-------------------------------------------------------------------+ |Issue |2019-10-24 | |Date | | +---------+-------------------------------------------------------------------+ |Updated |2019-10-24 (Initial Advisory) | |On | | +---------+-------------------------------------------------------------------+ |CVE(s) |CVE-2019-5537, CVE-2019-5538 | +---------+-------------------------------------------------------------------+ 1. Impacted Products VMware vCenter Server Appliance 2. Introduction Vulnerabilities in the File-Based Backup and Restore functions of vCenter Server Appliance were privately reported to the VMware Security Response Center. Updates are available which allow enablement of strict certificate validation to remediate these vulnerabilities. 3. VMware vCenter Server Appliance sensitive information disclosure vulnerabilities in File-Based Backup and Restore functions (CVE-2019-5537 and CVE-2019-5538) Description: Sensitive information disclosure vulnerabilities resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance may allow a malicious actor to intercept sensitive data in transit over FTPS and HTTPS (CVE-2019-5537) as well as SCP (CVE-2019-5538). VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 6.8. Known Attack Vectors: A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations. Resolution: To remediate CVE-2019-5537 and CVE-2019-5538 first apply the patches listed in the 'Fixed Version' column and then follow the instructions documented in KB75156 listed in the 'Additional Documentation' column found in the 'Resolution Matrix' below to enforce strict certificate validation. Workarounds: None. Additional Documentation: To avoid breaking currently configured File-Based Backup and Restore workflows, remediation of CVE-2019-5537 and CVE-2019-5538 is not enabled by default. After upgrading vCenter Server Appliance, follow the steps in KB75156 to enforce strict certificate validation. Notes: None. Acknowledgements: VMware would like to thank Thorsten Tullmann, Karlsruhe Institute of Technology and James Renken for independently reporting these issues to us. Response Matrix: +---------+-------+---------+--------------+------+--------+----------+-----------+----------+ |Product |Version|Running |CVE Identifier|CVSSV3|Severity|Fixed |Workarounds|Additional| | | |On | | | |Version | |Documents | +---------+-------+---------+--------------+------+--------+----------+-----------+----------+ |vCenter | |Virtual |CVE-2019-5537,| | | | | | |Server |6.7 |Appliance|CVE-2019-5538 |6.8 |Moderate|6.7u3a |None |KB75156 | |Appliance| | | | | | | | | +---------+-------+---------+--------------+------+--------+----------+-----------+----------+ |vCenter | |Virtual |CVE-2019-5537,| | | | | | |Server |6.5 |Appliance|CVE-2019-5538 |6.8 |Moderate|6.5u3d |None |KB75156 | |Appliance| | | | | | | | | +---------+-------+---------+--------------+------+--------+----------+-----------+----------+ |vCenter | |Virtual |CVE-2019-5537,| | | | | | |Server |6.0 |Appliance|CVE-2019-5538 |N/A |N/A |Unaffected|None |None | |Appliance| | | | | | | | | +---------+-------+---------+--------------+------+--------+----------+-----------+----------+ 4. References FIRST CVSSv3 Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/ I:N/A:N Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5537 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5538 Fixed Version(s) and Release Notes: VMware vCenter Server Appliance 6.7u3a https://my.vmware.com/web/vmware/details?productId=742&rPId=38207&downloadGroup =VC67U3a VMware vCenter Server Appliance 6.5u3d https://my.vmware.com/web/vmware/details?productId=614&rPId=38398&downloadGroup =ESXI65U3D Additional Documentation: https://kb.vmware.com/s/article/75156 5. Change log 2019-10-24: VMSA-2019-0018 Initial security advisory detailing remediations for CVE-2019-5537 and CVE-2019-5538 in VMware vCenter Server Appliance 6.7u3a and 6.5u3d. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2019 VMware Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXbKA7GaOgq3Tt24GAQitlw//TKjrh+n2Xkd8ud0fn/uvDzPmMYHFmRqh h40F4myAjnrwtcuAQSkf+AZmpNfWWcqJbCgIJBo1qgCQX3gekN3Ppv1YluwJCwrP 1gcMdCSbHx5H2GQnF2do12mEYsWBH+/XxTYlxTAEfeGrC9B/AYcX5LT9nM0Ln7TM wQfwg4tGe/7SLN5ZsKoTsRDM1/UCvUR0qaKEtFXXxNrSeLQHnpxjvOFIh+RaQBgN V0ZGQvT5vxZsk55O6N5F++ifVvRmXJQq6emRo+HDshj4QebSsbrLi19Rj9FDnIJ7 wMxB3llaFus0r/JvIb2nbNUbPOPdSncJ9RjVflNXA/aXTxpJAFkoaT0+7MSVsbdP yKGqkSkKt9Ih+OUbnIYZb6qFFF99cGZJ53TXra4n9ssl4b1A1weoxT1qNTaHpRYI D4JAxM4d5Ot91JalAF5X2j2EeyFdx8i2NCXlqlS89nQdnGxyDTthPm0ZI8VzCF5W oshOkCXth6BjzsCtFeQBKidrsOg1ICZ7AFS8iq+z0R/d9wFMBCJ9QEyexYF2GRZR /Y1nIy1xlO39biXRe48xa3fTZkVyxPTn23jol1XQcZ7K8/UbNsG8Pogaw5GJy+nl rfO4q1z0CHB6oZIlc7blXIkwf9iO1rN/A46CwSkyDwCy595z8k1Usb5MgWeKSntg FI5olp+1dkA= =DAIn -----END PGP SIGNATURE-----