Australia and New Zealand's Premier Virtualisation Community





Home Make Text BiggerMake Text SmallerReset Text Size
SSL Sessions Not Authenticated By VMware VC Clients PDF Print E-mail
Written by Damian Murdoch   
Wednesday, 29 November 2006
The securiteam mailing list sent out an alert regarding SSL Sessions Not Authenticated By VMware VC Clients. For more information on this and a copy of the alert please read on.

SSL Sessions Not Authenticated By VMware VC Clients

SUMMARY

VMware VirtualCenter client does not verify the server's X.509 certificate when creating an SSL session, which allows remote malicious servers to spoof valid servers via a man-in-the-middle attack.

DETAILS

Vulnerable Systems:

* VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643)

* VMware VirtualCenter client 1.4.x before 1.4.1 Patch 1 (Build 33425)

To ensure a secure channel of communication, you must be sure that any communication is with "trusted" sites whose identity you can be sure of. Both the client and server need certificates from a mutually-trusted Certificate Authority (CA).

However, certificate verification is not enabled by default for the clients. After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter 1.4.1 Patch 1, you must specifically enable server-certificate verification on theWindows client hosts.

VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an issue with server-certificate verification by VirtualCenter clients during the initial SSL handshake. Specifically, the x.509 certificate presented by a server to a client at the beginning of an SSL session is not verified. VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve this issue for Windows client hosts.

Solution:

Note that installing the updated software does not, by default, enable authentication. For information about how to enable this new optional capability, see Knowledge Base (KB) article 4646606, " <http://kb.vmware.com/kb/4646606 > Enabling Server- Certificate Verification for Virtual Infrastructure Clients."

Client hosts include:

* VirtualCenter Server host, which operates as a client to each of the servers that it manages;

VirtualCenter Server 2.x:

* Virtual Infrastructure Client (VI Client, or VIC), client software that lets you connect to and manage ESX Server hosts directly, or through a VirtualCenter Server host;

VirtualCenter Server 1.x:

* VirtualCenter Client (VC Client), client software that lets you connect to and manage ESX Server 2.x hosts through a VirtualCenter Server host (1.x version).

CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5990>

CVE-2006-5990

ADDITIONAL INFORMATION

The information has been provided by vmware.

 
Tag it:
Delicious
Furl it!
Scuttle
Spurl
< Prev   Next >
[ Back ]
Who's Online



Want to help ?

Want to submit an article, a news tip or want to advertise ? Click here!

Joomla! Template Supplied by Netshine Software Limited