VMSA-2019-0013:VMware ESXi and vCenter Server updates address command injection and information disclosure vulnerabilities.
23558
14 September 2019
14 September 2019
CLOSED
HIGH
4.2-7.7
CVE-2017-16544,CVE-2019-5531,CVE-2019-5532,CVE-2019-5534
VMware Security Advisories
| Advisory ID | VMSA-2019-0013.1 |
| Advisory Severity | Important |
| CVSSv3 Range | 4.2-7.7 |
| Synopsis | VMware ESXi and vCenter Server updates address command injection and information disclosure vulnerabilities. (CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534) |
| Issue Date | 2019-09-16 |
| Updated On | 2019-09-19 |
| CVE(s) | CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534 |
1. Impacted Products
- VMware vSphere ESXi (ESXi)
- VMware vCenter Server (vCenter)
2. Introduction
ESXi and vCenter updates address multiple vulnerabilities.
- CVE-2017-16544: VMware ESXi command injection vulnerability
- CVE-2019-5531: ESXi Host Client, vCenter vSphere Client and vCenter vSphere Web Client information disclosure vulnerability
- CVE-2019-5532: VMware vCenter Server information disclosure vulnerability
- CVE-2019-5534: VMware vCenter Server Information disclosure vulnerability in vAppConfig properties
3a. VMware ESXi 'busybox' command injection vulnerability- CVE-2017-16544
Description:
ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.
Known Attack Vectors:
An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file.
Resolution:
To remediate CVE-2017-16544 update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
None.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Zhouyuan Yang of Fortinet's FortiGuard Labs for notifying about this issue to us.
Response Matrix:
3b. ESXi Host Client, vCenter vSphere Client and vCenter vSphere Web Client information disclosure vulnerability- CVE-2019-5531
Description:
An information disclosure vulnerability in clients arising from insufficient session expiration. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.2.
This issue affects:
- ESXi VMware Host Client (6.7, 6.5, 6.0).
- vCenter Server vSphere Client (HTML5) (6.7, 6.5).
- vCenter Server vSphere Web Client (FLEX/Flash) (6.7, 6.5, 6.0).
Known Attack Vectors:
An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.
Resolution:
To remediate CVE-2019-5531 update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
None.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Dejan Zelic for reporting this issue to us.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSV3 | Severity | Fixed Version | Workarounds | Additional Documents |
| ESXi | 6.7 | Any | CVE-2019-5531 | 4.2 | Moderate | ESXi670-201810101-SG | None | None |
| ESXi | 6.5 | Any | CVE-2019-5531 | 4.2 | Moderate | ESXi650-201811102-SG | None | None |
| ESXi | 6.0 | Any | CVE-2019-5531 | 4.2 | Moderate | ESXi600-201807103-SG | None | None |
| vCenter | 6.7 | Any | CVE-2019-5531 | 4.2 | Moderate | 6.7 U1b | None | None |
| vCenter | 6.5 | Any | CVE-2019-5531 | 4.2 | Moderate | 6.5 U2b | None | None |
| vCenter | 6.0 | Any | CVE-2019-5531 | 4.2 | Moderate | 6.0 U3j | None | None |
3c. VMware vCenter Server information disclosure vulnerability- CVE-2019-5532
Description:
VMware vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7.
Known Attack Vectors:
A malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).
Resolution:
To remediate CVE-2019-5532, update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
If the password of the deployment account (typically root) is changed on the virtual machine after deployment of the OVF then the credentials stored in the vCenter OVF-properties will no longer be valid and cannot be used to access the virtual machine.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Ola Beyioku for reporting this issue to us.
Response Matrix:
3d. Information disclosure vulnerability in vAppConfig properties - CVE-2019-5534
Description:
Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7.
Known Attack Vectors:
A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).
Resolution:
To mitigate CVE-2019-5534 upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
The information stored in vAppConfig properties is captured at the time of deployment. If the password of the deployment account (typically root) is changed on the virtual machine after deployment of the OVF then the credentials stored in the vAppConfig properties will no longer be valid and cannot be used to access the virtual machine.
Additional Documentations:
None.
Acknowledgements:
VMware would like to thank Rich Browne of F5 Networks for reporting this issue to us.
Response Matrix:
4. References
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5532
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5534
Fixed Version(s) and Release Notes:
ESXi 6.7 U3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=742&downloadGroup=ESXI67U3
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u3-release-notes.html
ESXi 6.7 U2
Downloads and Documentation:
https://my.vmware.com/group/vmware/details?productId=742&downloadGroup=ESXI67U2
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u2-release-notes.html
ESXi 6.7 U1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=ESXI67U1&productId=742
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-671-release-notes.html
ESXi 6.5 U3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=ESXI65U3&productId=614
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-esxi-65u3-release-notes.html
ESXi 6.5, Patch Release ESXi650-201806001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://kb.vmware.com/s/article/55912
ESXi 6.0, Patch Release ESXi600-201807001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://kb.vmware.com/s/article/53627
ESXi 6.0, Patch Release ESXi600-201909001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201909001.html
vCenter 6.7 U1b
Downloads and Documentation:
https://my.vmware.com/group/vmware/details?downloadGroup=VC67U1B&productId=742
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u1b-release-notes.html
vCenter 6.5 U2b
Downloads and Documentation:
https://my.vmware.com/group/vmware/details?downloadGroup=VC65U2B&productId=614&rPId=24466
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u2b-release-notes.html
vCenter 6.5 U3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=614&downloadGroup=VC65U3
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3-release-notes.html
vCenter 6.0 U3j
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3J&productId=491
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3j-release-notes.html
5. Change log
2019-09-16: VMSA-2019-0013 Initial security advisory detailing remediation information for the VMware vSphere ESXi and VMware vCenter Server 6.7, 6.5 and 6.0 release lines.
2019-09-19: VMSA-2019-0013.1 Updated security advisory to reflect the correct ESXi patches for issue 3(b).
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2019 VMware Inc. All rights reserved.