VMSA-2006-0010 - SSL sessions not authenticated by VC Clients

2006-11-22T00:00:00
ID SECURITYVULNS:DOC:15195
Type securityvulns
Reporter Securityvulns
Modified 2006-11-22T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256


               VMware Security Advisory

Advisory ID: VMSA-2006-0010 Synopsis: SSL sessions not authenticated by VC Clients Patch URL:http://www.vmware.com/download/vi/vc-201-200611-patch.html Patch URL:http://www.vmware.com/download/vc/vc-141-200611-patch.html Knowledge base URL:http://kb.vmware.com/kb/4646606 Issue date: 2006-11-21 Updated on: 2006-11-21 CVE number: CVE-2006-5990


  1. Summary:

VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and 1.4.x before 1.4.1 Patch 1 (Build 33425), does not verify the server's X.509 certificate when creating an SSL session, which allows remote malicious servers to spoof valid servers via a man-in-the-middle attack

  1. Relevant releases:

VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) VMware VirtualCenter client 1.4.x before 1.4.1 Patch 1 (Build 33425)

  1. Problem description:

To ensure a secure channel of communication, you must be sure that any communication is with "trusted" sites whose identity you can be sure of. Both the client and server need certificates from a mutually-trusted Certificate Authority (CA).

VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an issue with server-certificate verification by VirtualCenter clients during the initial SSL handshake. Specifically, the x.509 certificate presented by a server to a client at the beginning of an SSL session is not verified. VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve this issue for Windows client hosts.

However, certificate verification is not enabled by default for the clients. After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter 1.4.1 Patch 1, you must specifically enable server-certificate verification on the Windows client hosts.

The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-5990 to this issue.

  1. Solution:

Note that installing the updated software does not, by default, enable authentication. For information about how to enable this new optional capability, see Knowledge Base (KB) article 4646606, "Enabling Server- Certificate Verification for Virtual Infrastructure Clients." http://kb.vmware.com/kb/4646606

Client hosts include: * VirtualCenter Server host, which operates as a client to each of the servers that it manages;

VirtualCenter Server 2.x: * Virtual Infrastructure Client (VI Client, or VIC), client software that lets you connect to and manage ESX Server hosts directly, or through a VirtualCenter Server host;

VirtualCenter Server 1.x: * VirtualCenter Client (VC Client), client software that lets you connect to and manage ESX Server 2.x hosts through a VirtualCenter Server host (1.x version).

  1. References:

http://www.vmware.com/download/vi/vc-201-200611-patch.html http://www.vmware.com/download/vc/vc-141-200611-patch.html http://kb.vmware.com/kb/4646606 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5990

  1. Contact:

http://www.vmware.com/security

VMware Security Response Policy http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail: security@vmware.com

Copyright 2006 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFY4Lz6KjQhy2pPmkRCDZWAJ4jttidvlKOh0r5lUjxEDyEC5pgeACeKjmJ 5cb1Sr9XdCvxVuMh7UKNF94= =iEXc -----END PGP SIGNATURE-----