VMware Releases Patch for Critical Vulnerability
Virtualization enables organizations to minimize equipment costs and streamline the deployment and management of systems. But despite its benefits, the technology opens the door to vulnerabilities just as devastating as those targeting traditional platforms.
DDI Labs, a security risk assessment solutions firm based in Texas, discovered in late September a vulnerability in VMware View that enables an unauthenticated user to access sensitive information without permission. The team reported the vulnerability to the virtualization vendor in October.
According to Network World, DDI Labs stumbled upon the bug when performing a series of generic directory traversal checks on systems operating on View. The team found a guest user was able to retrieve files to which he or she had not been granted access due to a flaw in the underlying root file system of View Security Server and View Connection Server.
The attacker can retrieve arbitrary files from the affected View Server by "submitting URL encoded HTTP GET requests that traverse out of the affected subdirectory," DDI Labs wrote in a post to the Digital Defense Vulnerability Research and Security Analytics Blog on December 14th.
VMware View 5.x prior to version 5.1.2 and VMware View 4.x prior to 4.6.2 are affected by this vulnerability.
On December 20, however, VMware, released a patch fixing the critical directory traversal vulnerability. IT professionals at midsize businesses that have a licensed version of VMware View can download the patch from the VMware website.
Organizations that are unable to immediately apply the fix can disable View Security Server to prevent attackers from exploiting the bug over unsecure remote networks, or IT staff can enable authorized users to instead establish a connection to View Connection Server using a virtual private network.
VMware says companies may also be able to circumvent potential attacks with an application-layer firewall or intrusion detection software (IDS).
Virtualization solutions are appealing to hackers due to the potential opportunity to exploit the virtualization layer -- and compromise all hosts operating on the platform, as a result -- and the ability to execute attacks behind the scenes, as most IDS solutions focus on activies performed on physical systems, not virtual environments.
Javier Castro, a Senior Vulnerability Researcher at DDI Labs, told Network World that VMware products are "'juicy,' because by the nature of virtualization, they provide access to a lot of virtual machines."
Of course, that doesn't mean that companies shouldn't use VMware virtualization solutions, but midsize businesses should make sure to specifically involve security professionals when planning and deploying virtualization environments.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.