VMware vCenter and ESXi fall foul of remote code execution bugs

Users of vCenter and ESXi should update their installations now to avoid the chance of remote code execution occurring on their host machines.

An insecure configuration of Java Management Extensions (JMX) within VMware's vCenter has been pinned as the cause of an exploit that would allow code execution on host machines.

One of the discoverers of the security hole, 7 Elements' Doug Mcleod, said the vulnerability allowed for system level access to virtual machine host servers, and resulted in a full compromise of the environment.

"VMware vCenter Server provides a centralised platform for managing your VMware vSphere environments so you can automate and deliver a virtual infrastructure. VMware vCenter was found to bind an unauthenticated JMX/RMI service to the network stack," the 7 Elements advisory said.

Read more

iPhone 6s, 6s Plus Sydney launch: Photos

Hundreds of die-hard Apple fans lined up in the rain to obtain one of the new iPhones, launched on Friday morning -- though significantly less turned up than for the iPhone 6 launch.

Read More

Since the JMX service did not require authentication, a user could call the loading of a managed bean from a remote URL that could point to a JAR file that contained code, that when called would lead to remote code execution.

"Using already available tools, it is a trivial exercise to gain full control over a vulnerable vCenter instance," Mcleod wrote in a blog post.

"The attack vector has already been weaponised with two known metasploit modules and a separate exploit, made up of java class files, that when compiled and executed passes a command to the server to be executed."

Versions of vCenter Server from 5.0 through to 6.0 were vulnerable to the exploit, with VMware releasing patches available now. Mcleod said he reported the vulnerability to VMware on February 27, 2015.

Mcleod was not the sole finder of the vulnerability though, with VMware thanking an anonymous researcher from HP's Zero Day Initiative as well in its advisory.

In the same advisory, VMware advised that ESXi versions 5.0, 5.1, and 5.5 were affected by a remote code execution bug as well.

"VMware ESXi contains a double free flaw in OpenSLP's SLPDProcessMessage() function. Exploitation of this issue may allow an unauthenticated attacker to execute code remotely on the ESXi host," VMware said.

"VMware would like to thank Qinghao Tang of QIHU 360 for reporting this issue to us."

There has been speculation that EMC's relationship with VMware might be on the rocks.

If such a move were to occur, EMC IT senior vice president Jon Peirce told ZDNet that EMC would be well-positioned to handle any changes that may occur.

Show Comments