VMWare Fixes Critical RCE in vCenter Server

VMware patched a critical vulnerability in its vCenter Server platform late last week that could have let an attacker execute arbitrary code in some scenarios.

The vulnerability affected two versions of vCenter, 6.5 and 6.0. Users are encouraged to update to the most recent versions, 6.5c, and 6.0U3b, pushed on Thursday.

> Today we’ve published a new #VMware Security Advisory VMSA-2017-0007 for vCenter Server <https://t.co/YqV5zNlJXw&gt;
>
> — VMware Sec Response (@VMwareSRC) April 14, 2017

US-CERT warned about the vulnerability, stressing exploitation could result in an attacker taking control of an affected system, in an alert posted on Friday.

vCenter Server, formerly known as VirtualCenter, is a tool used for managing vSphere virtual environments.

The vulnerability technically stems from the usage of BlazeDS to process AMF3 messages. BlazeDS, originally developed by Adobe, is a server-based Java remoting and web-based messaging technology. AMF3, or Action Message Format 3, is a compact binary is a message format, also developed by Adobe, used by Flash apps to communicate and to serialize ActionScript object graphs.

The vulnerability could allow an attacker to execute arbitrary code when deserializing an untrusted Java object, according to VMware’s security advisory.

VMware says the issue (CVE-2017-5641) is present in the Customer Experience Improvement Program (CEIP) functionality of the platform. Even if a user has opted out of the functionality, the vulnerability still exists, VMware claims.

Markus Wulftange, a penetration tester at the German security firm Code White discovered the AMF bug and published a thorough write-up earlier this month.

> VMware vCenter Server 6.x affected by the AMF bug in BlazeDS (<https://t.co/eIO3xiXb0H&gt;) <https://t.co/l9Z5Slazvf&gt;
>
> — Markus Wulftange (@mwulftange) April 14, 2017

Wulftange disclosed the vulnerabilities, insecure deserialization and XML external entities references, to US-CERT two weeks ago and suggested at the time they could affect products made by VMware, along with Atlassian, HPE, and SonicWall.

Atlassian, for its part, fixed the vulnerability, which affected JIRA (CVE-2017-5983), several weeks ago. According to a JIRA ticket on the vulnerability, the bug affected versions from 4.2.4 prior to version 6.3.0 and fetched a CVSS rating of 9.8. In addition to remote code execution, the vulnerability also could have lead to the disclosure of private files or the execution of a denial of service attack against a JIRA server.

According to US-CERT’s Vulnerability Note on Wulftange’s findings, it’s still unknown whether HPE, SonicWall, or Exadel software is affected.