Mike Kiev - Fotolia

How can VMware vulnerabilities in vSphere expose credentials?

Two VMware vulnerabilities in vSphere Data Protection were recently patched. Expert Judith Myerson explains how the flaws work and how to defend against them.

VMware has patched critical vulnerabilities in vSphere Data Protection. What caused these VMware vulnerabilities? Besides applying the patches, what else can be done to mitigate them?

VMware vSphere Data Protection (VDP) is a backup and recovery product that is deployed as a virtual appliance. It runs a Linux guest operating system and works with VMware vCenter Server.

Together, two VMware vulnerabilities in VDP could enable an unauthenticated attacker to execute commands on the virtual appliance. The main player points to VDP's Java deserialization vulnerability (CVE-2017-4914). This discovery is attributed to Tim Roberts, Arthur Chilipweli and Kelly Correll, security consultants at NTT Security.

Java deserialization is a technique many programming languages use to transport complex data over a network. At one end, this technique breaks down a Java object into a series of bytes. It reassembles them into the Java object at the other end.

When Java objects are not validated for their trustworthiness before they are deserialized, untrusted data may be introduced. To access the data that has been deserialized, the attacker would need to root the target system. After gaining escalated privileges, the attacker could exploit the reversible encryption vulnerability (CVE-2017-4917). Impacted VDP versions use reversible encryption to locally store credentials from vCenter Server, which makes these VMware vulnerabilities particularly dangerous.

One risk is that reversible encryption may show plaintext credentials. The attacker could use these credentials to remotely log in, change the code in the object and, in the worst scenario, launch a denial-of-service attack.

To prevent these VMware vulnerabilities, network administrators should:

  • Apply proper VMware updates to VDP 6.1.x, 6.0.x, 5.8.x and 5.5.x. VDP 6.1.x has been replaced with VDP 6.1.4. The other versions have been replaced with VDP 6.0.5.
  • Ensure trusted users have proper network access levels.
  • Ensure Java programmers have the proper skills to avoid the Java deserialization issue.
  • Audit Java objects to determine if they are safe to use.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Compare the versions of vSphere Data Protection to find which is best for your organization

Learn how to deal with capacity issues in VMware VDP

Find out what VMware vCenter Server can do for enterprises

Dig Deeper on Threats and vulnerabilities