Lucene search

K
vmwareVMwareVMSA-2013-0006
HistoryApr 25, 2013 - 12:00 a.m.

VMware security updates for vCenter Server

2013-04-2500:00:00
www.vmware.com
27

0.892 High

EPSS

Percentile

98.4%

a. vCenter Server AD anonymous LDAP binding credential by-pass

vCenter Server when deployed in an environment that uses Active Directory (AD) with anonymous LDAP binding enabled doesn’t properly handle login credentials. In this environment, authenticating to vCenter Server with a valid user name and a blank password may be successful even if a non-blank password is required for the account.
The issue is present on vCenter Server 5.1, 5.1a and 5.1b if AD anonymous LDAP binding is enabled. The issue is addressed in vCenter Server 5.1 Update 1 by removing the possibility to authenticate using blank passwords. This change in the authentication mechanism is present regardless if anonymous binding is enabled or not.
Workaround
The workaround is to discontinue the use of AD anonymous LDAP binding if it is enabled in your environment. AD anonymous LDAP binding is not enabled by default. The TechNet article listed in the references section explains how to check for anonymous binding (look for “anonymous binding” in the article: anonymous binding is enabled if the seventh bit of the dsHeuristics attribute is set to 2)

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3107 to this issue.
Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

0.892 High

EPSS

Percentile

98.4%