VMware has released a patch for vSphere Data Protection (VDP) to modify a hardcode SSH key that could allow remote attackers to gain root access to the virtual device.
VDP is a backup product and restore disk that works as an open virtual device (OVA). It integrates with VMware vCenter Server and provides centralized management of backup tasks for up to 100 virtual machines.
According to the VMware support article, the vSphere Data Protection Device (VDP) contains a static SSH private key with a known password. This key enables interoperability with EMC Avamar deduplication solution backup and recovery software, and is preconfigured in the VDP as AuthorizedKey.
"An attacker with access to the internal network can take advantage of this to access the device with root privileges and more to complete a complete transaction," VMware said.
The Company believes that this is critical and the development of a solution that can be copied and executed on the device to change the default SSH key and set a new password.
Developing devices with access to encrypted information that users can not change is a serious security weakness. Unfortunately, it was a common practice in the past and vendors have tried cleaning up such errors from their devices for years.
Tuesday, VMware has also fixed a cross-site scripting vulnerability stored in its vSphere Hypervisor (ESXi) product. The fault is considered important.
"The problem can be introduced by an attacker who has permission to manage virtual machines through ESX host or client to trick the vSphere administrator to import a designed virtual machine," the company said in a statement. "The problem can be activated on the system from which ESXi client host is used to manage the designed virtual machine."
VMware has released security patches for ESXi 5.5 and 6.0 to address this issue and advises users not to import virtual machines from untrusted sources.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.