VMWare vCenter Server users... patch... NOW

Here's the supplemental blog that @Sky-Knight 's link references:

The VMSA outlines two issues that are resolved in this patch release. First, there is a remote code execution vulnerability in the vSAN plugin, which ships as part of vCenter Server. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not.

This is going to be huge.
 
But it requires bare metal access over port 443.

Known Attack Vectors
A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
 
@Markverhyden Yeah, which is how you manage the vCenter server. So a compromised machine with access to your management VLAN can nuke the entire solution...

Oh wait, no most places are stupid and don't have isolated management VLANs. So any desktop on the network now has God level access to the host...

There is no good way to slice this... patch them.
 
Not to mention a lot of IT houses will put these things internet facing in one way or another, hopefully via a VPN... but even with a VPN...
I was never stupid enough to do that... but I know many that did as well. Just slapped them up on public addresses and called it good. Gives me the willies.
 
@Markverhyden Yeah, which is how you manage the vCenter server. So a compromised machine with access to your management VLAN can nuke the entire solution...

Oh wait, no most places are stupid and don't have isolated management VLANs. So any desktop on the network now has God level access to the host...

There is no good way to slice this... patch them.
This isn't an exploit that busts out of the VM. The point is that simple network security procedures, which should always be implemented, would prevent this from exploit being a meaningful threat. There is no reason whatsoever to put hypervisor bare metal facing any public network. In my book the only thing on a network thats exposed to the public is the firewall. Computers are dirt cheap so anything can used as a console after a VPN tunnel has been established.

Of course EU's are always told to not click on any links if they get some strange in their email. We all know how well that works.
 
That's all well and good, but it doesn't mean you want a privilege escalation issue of this kind in production anywhere.

You can have the perfect setup, and still have everything go wrong.
 
Back
Top