VMware Patches Directory Traversal Vulnerability in View Server and Security Server

Virtualization vendor VMware has patched a critical vulnerability in its VMware View desktop virtualization product that could have led to a directory traversal attack and an attacker reading or downloading files without the need for authentication.

VMware View 5.x prior to 5.1.2 and 4.x prior to 4.6.2 were affected, the company said in an advisory. Customers are advised to upgrade to the latest version.

The vulnerability was discovered by Digital Defense, a security service provider. Senior vulnerability researcher Javier Castro said the company’s vulnerability research team discovered the flaw in some customers’ network scan results.

“We thought it was interesting to find a directory traversal externally on an organization, and it wasn’t in a minor product, but a major product like VMware,” Castro said. “Ordinarily, you could have one because of user error, but in the case of a major product, it’s not usually user error. It’s usually the vendor’s fault.”

The flaw was reported to VMware in September, and the update was released earlier this week for View Connection Server and View Security Server.

“The tunnel-server component of the VMware View Connection Server fails to ensure that each requested URL refers to a file that is both located within the web root of the server and is of a type that is allowed to be served,” the Digital Defense advisory said. “A remote unauthenticated attacker can use this weakness to retrieve arbitrary files from the affected server’s underlying root file system. This can be accomplished by submitting URL encoded HTTP GET requests that traverse out of the affected subdirectory.”

Directory traversal exploits are dangerous because an attacker can remotely execute commands outside a root directory into sub-directories that should not be reachable online, as this particular VMware flaw was.

“This is a major issue because this is a component that is externally facing online,” Castro said. “Arbitrary attackers can probe machines and pull files, or if you have VMware drives residing on there, they can download the contents of those drives. This is the type of thing you don’t want because it can allow attacks to take place further on an internal network.”

Organizations that cannot immediately update VMware View Servers have two temporary workarounds to consider. The first is disabling VMware View Security Server; remote users may temporarily connect to the Connection Server via VPN, VMware said. The second is to block directory traversal attempts at the application firewall or with an intrusion prevention system.