VMSA-2006-0010 - SSL sessions not authenticated by VC Clients
2006-11-22T00:00:00
ID SECURITYVULNS:DOC:15195 Type securityvulns Reporter Securityvulns Modified 2006-11-22T00:00:00
Description
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
VMware Security Advisory
Advisory ID: VMSA-2006-0010
Synopsis: SSL sessions not authenticated by VC Clients
Patch URL:http://www.vmware.com/download/vi/vc-201-200611-patch.html
Patch URL:http://www.vmware.com/download/vc/vc-141-200611-patch.html
Knowledge base URL:http://kb.vmware.com/kb/4646606
Issue date: 2006-11-21
Updated on: 2006-11-21
CVE number: CVE-2006-5990
Summary:
VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and
1.4.x before 1.4.1 Patch 1 (Build 33425), does not verify the server's
X.509 certificate when creating an SSL session, which allows remote
malicious servers to spoof valid servers via a man-in-the-middle attack
Relevant releases:
VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643)
VMware VirtualCenter client 1.4.x before 1.4.1 Patch 1 (Build 33425)
Problem description:
To ensure a secure channel of communication, you must be sure that any
communication is with "trusted" sites whose identity you can be sure of.
Both the client and server need certificates from a mutually-trusted
Certificate Authority (CA).
VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an
issue with server-certificate verification by VirtualCenter clients
during the initial SSL handshake. Specifically, the x.509 certificate
presented by a server to a client at the beginning of an SSL session is
not verified. VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch
1 resolve this issue for Windows client hosts.
However, certificate verification is not enabled by default for the
clients. After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter
1.4.1 Patch 1, you must specifically enable server-certificate
verification on the Windows client hosts.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2006-5990 to this issue.
Solution:
Note that installing the updated software does not, by default, enable
authentication. For information about how to enable this new optional
capability, see Knowledge Base (KB) article 4646606, "Enabling Server-
Certificate Verification for Virtual Infrastructure Clients."
http://kb.vmware.com/kb/4646606
Client hosts include:
* VirtualCenter Server host, which operates as a client to each of
the servers that it manages;
VirtualCenter Server 2.x:
* Virtual Infrastructure Client (VI Client, or VIC), client software
that lets you connect to and manage ESX Server hosts directly, or
through a VirtualCenter Server host;
VirtualCenter Server 1.x:
* VirtualCenter Client (VC Client), client software that lets you
connect to and manage ESX Server 2.x hosts through a VirtualCenter
Server host (1.x version).
{"id": "SECURITYVULNS:DOC:15195", "bulletinFamily": "software", "title": "VMSA-2006-0010 - SSL sessions not authenticated by VC Clients", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\n- - -------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2006-0010\r\nSynopsis: SSL sessions not authenticated by VC Clients\r\nPatch URL:http://www.vmware.com/download/vi/vc-201-200611-patch.html\r\nPatch URL:http://www.vmware.com/download/vc/vc-141-200611-patch.html\r\nKnowledge base URL:http://kb.vmware.com/kb/4646606\r\nIssue date: 2006-11-21\r\nUpdated on: 2006-11-21\r\nCVE number: CVE-2006-5990\r\n- - -------------------------------------------------------------------\r\n\r\n1. Summary:\r\n\r\nVMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and\r\n1.4.x before 1.4.1 Patch 1 (Build 33425), does not verify the server's\r\nX.509 certificate when creating an SSL session, which allows remote\r\nmalicious servers to spoof valid servers via a man-in-the-middle attack\r\n\r\n2. Relevant releases:\r\n\r\nVMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643)\r\nVMware VirtualCenter client 1.4.x before 1.4.1 Patch 1 (Build 33425)\r\n\r\n3. Problem description:\r\n\r\nTo ensure a secure channel of communication, you must be sure that any\r\ncommunication is with "trusted" sites whose identity you can be sure of.\r\n Both the client and server need certificates from a mutually-trusted\r\nCertificate Authority (CA).\r\n\r\nVirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an\r\nissue with server-certificate verification by VirtualCenter clients\r\nduring the initial SSL handshake. Specifically, the x.509 certificate\r\npresented by a server to a client at the beginning of an SSL session is\r\nnot verified. VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch\r\n1 resolve this issue for Windows client hosts.\r\n\r\nHowever, certificate verification is not enabled by default for the\r\nclients. After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter\r\n1.4.1 Patch 1, you must specifically enable server-certificate\r\nverification on the Windows client hosts.\r\n\r\nThe Common Vulnerabilities and Exposures project (cve.mitre.org)\r\nassigned the name CVE-2006-5990 to this issue.\r\n\r\n4. Solution:\r\n\r\nNote that installing the updated software does not, by default, enable\r\nauthentication. For information about how to enable this new optional\r\ncapability, see Knowledge Base (KB) article 4646606, "Enabling Server-\r\nCertificate Verification for Virtual Infrastructure Clients."\r\nhttp://kb.vmware.com/kb/4646606\r\n\r\nClient hosts include:\r\n * VirtualCenter Server host, which operates as a client to each of\r\n the servers that it manages;\r\n\r\nVirtualCenter Server 2.x:\r\n * Virtual Infrastructure Client (VI Client, or VIC), client software\r\n that lets you connect to and manage ESX Server hosts directly, or\r\n through a VirtualCenter Server host;\r\n\r\nVirtualCenter Server 1.x:\r\n * VirtualCenter Client (VC Client), client software that lets you\r\n connect to and manage ESX Server 2.x hosts through a VirtualCenter\r\n Server host (1.x version).\r\n\r\n5. References:\r\n\r\nhttp://www.vmware.com/download/vi/vc-201-200611-patch.html\r\nhttp://www.vmware.com/download/vc/vc-141-200611-patch.html\r\nhttp://kb.vmware.com/kb/4646606\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5990\r\n\r\n6. Contact:\r\n\r\nhttp://www.vmware.com/security\r\n\r\nVMware Security Response Policy\r\nhttp://www.vmware.com/vmtn/technology/security/security_response.html\r\n\r\nE-mail: security@vmware.com\r\n\r\nCopyright 2006 VMware Inc. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (GNU/Linux)\r\nComment: Using GnuPG with Fedora - http://enigmail.mozdev.org\r\n\r\niD8DBQFFY4Lz6KjQhy2pPmkRCDZWAJ4jttidvlKOh0r5lUjxEDyEC5pgeACeKjmJ\r\n5cb1Sr9XdCvxVuMh7UKNF94=\r\n=iEXc\r\n-----END PGP SIGNATURE-----", "published": "2006-11-22T00:00:00", "modified": "2006-11-22T00:00:00", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15195", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2006-5990"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:20", "edition": 1, "viewCount": 1, "enchantments": {"score": {"value": 6.9, "vector": "NONE", "modified": "2018-08-31T11:10:20", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-5990"]}, {"type": "osvdb", "idList": ["OSVDB:30644"]}], "modified": "2018-08-31T11:10:20", "rev": 2}, "vulnersScore": 6.9}, "affectedSoftware": []}
{"cve": [{"lastseen": "2020-10-03T11:48:19", "description": "VMWare VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and 1.4.x before 1.4.1 Patch 1 (Build 33425), when server certificate verification is enabled, does not verify the server's X.509 certificate when creating an SSL session, which allows remote malicious servers to spoof valid servers via a man-in-the-middle attack.", "edition": 3, "cvss3": {}, "published": "2006-11-21T01:07:00", "title": "CVE-2006-5990", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-5990"], "modified": "2018-10-17T21:46:00", "cpe": ["cpe:/a:vmware:virtualcenter:2.0.1", "cpe:/a:vmware:virtualcenter:1.4.1"], "id": "CVE-2006-5990", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5990", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:virtualcenter:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:virtualcenter:2.0.1:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:27", "bulletinFamily": "software", "cvelist": ["CVE-2006-5990"], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://kb.vmware.com/kb/4646606\n[Vendor Specific Advisory URL](http://www.vmware.com/download/vi/vc-201-200611-patch.html)\nSecurity Tracker: 1017270\n[Secunia Advisory ID:23053](https://secuniaresearch.flexerasoftware.com/advisories/23053/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-11/0437.html\nKeyword: VMSA-2006-0010\nISS X-Force ID: 30477\nFrSIRT Advisory: ADV-2006-4655\n[CVE-2006-5990](https://vulners.com/cve/CVE-2006-5990)\nBugtraq ID: 21231\n", "edition": 1, "modified": "2006-11-16T06:18:53", "published": "2006-11-16T06:18:53", "href": "https://vulners.com/osvdb/OSVDB:30644", "id": "OSVDB:30644", "title": "VMware VirtualCenter Client X.509 Certificate SSL Verification Failure", "type": "osvdb", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}]}
