VMware, a Dell Technologies subsidiary, released several patches Tuesday fixing critical vulnerabilities affecting its vSphere cloud computing virtualization platform.
The bugs address three vulnerabilities in VMware’s vSphere Data Protection (VDP), a backup and recovery solution used with its vSphere platform. According to the company, a remote attacker could exploit the vulnerabilities and take control of an affected systems.
Each of the vulnerabilities (CVE-2017-15548, CVE-2017-15549, CVE-2017-15550) are rated critical. Affected are VDP versions 6.1.x, 6.0.x and 5.x running on VMware’s Virtual Appliances. The company said no workarounds are available.
vSphere Data Protection is a backup solution for use in vSphere environments, and is usually run in tandem with VMware’s vCenter Server and vSphere Web Client.
The VMware security advisory describes one of the vulnerabilities (CVE-2017-15548) as a VDP authentication bypass vulnerability. According to the company, the vulnerability allows a “remote unauthenticated malicious user (to) potentially bypass application authentication and gain unauthorized root access to the affected systems.”
A second VDP upload vulnerability (CVE-2017-15549) allows a “remote authenticated malicious user with low privileges (to) potentially upload arbitrary maliciously crafted files in any location on the server file system.”
Lastly, the vulnerability CVE-2017-15550 is a path traversal vulnerability that allows a “remote authenticated malicious user with low privileges (to) access arbitrary files on the server file system in the context of the running vulnerable application.”
According to VMware, patches are available for each of the vulnerabilities via updates to each of the impacted versions of vSphere Data Protection. VMware didn’t go into detail on the vulnerabilities.
Last year VMware patched several vulnerabilities tied to its vSphere Data Protection solution including a Java deserialization issue and a second vulnerability in VDP pertaining to how it stores credentials.
Source: ThreatPost