-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
VMware Security Advisory
Advisory ID: VMSA-2006-0010 Synopsis: SSL sessions not authenticated by VC Clients Patch URL:http://www.vmware.com/download/vi/vc-201-200611-patch.html Patch URL:http://www.vmware.com/download/vc/vc-141-200611-patch.html Knowledge base URL:http://kb.vmware.com/kb/4646606 Issue date: 2006-11-21 Updated on: 2006-11-21 CVE number: CVE-2006-5990
VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and 1.4.x before 1.4.1 Patch 1 (Build 33425), does not verify the server's X.509 certificate when creating an SSL session, which allows remote malicious servers to spoof valid servers via a man-in-the-middle attack
VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) VMware VirtualCenter client 1.4.x before 1.4.1 Patch 1 (Build 33425)
To ensure a secure channel of communication, you must be sure that any communication is with "trusted" sites whose identity you can be sure of. Both the client and server need certificates from a mutually-trusted Certificate Authority (CA).
VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an issue with server-certificate verification by VirtualCenter clients during the initial SSL handshake. Specifically, the x.509 certificate presented by a server to a client at the beginning of an SSL session is not verified. VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve this issue for Windows client hosts.
However, certificate verification is not enabled by default for the clients. After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter 1.4.1 Patch 1, you must specifically enable server-certificate verification on the Windows client hosts.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-5990 to this issue.
Note that installing the updated software does not, by default, enable authentication. For information about how to enable this new optional capability, see Knowledge Base (KB) article 4646606, "Enabling Server- Certificate Verification for Virtual Infrastructure Clients." http://kb.vmware.com/kb/4646606
Client hosts include: * VirtualCenter Server host, which operates as a client to each of the servers that it manages;
VirtualCenter Server 2.x: * Virtual Infrastructure Client (VI Client, or VIC), client software that lets you connect to and manage ESX Server hosts directly, or through a VirtualCenter Server host;
VirtualCenter Server 1.x: * VirtualCenter Client (VC Client), client software that lets you connect to and manage ESX Server 2.x hosts through a VirtualCenter Server host (1.x version).
http://www.vmware.com/download/vi/vc-201-200611-patch.html http://www.vmware.com/download/vc/vc-141-200611-patch.html http://kb.vmware.com/kb/4646606 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5990
VMware Security Response Policy http://www.vmware.com/vmtn/technology/security/security_response.html
Copyright 2006 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFFY4Lz6KjQhy2pPmkRCDZWAJ4jttidvlKOh0r5lUjxEDyEC5pgeACeKjmJ 5cb1Sr9XdCvxVuMh7UKNF94= =iEXc -----END PGP SIGNATURE-----