[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Other] VMware Client ueberprueft das Zertifkat des Servers nicht - VMSA-2006-0010
-----BEGIN PGP SIGNED MESSAGE-----
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgende Warnung. Wir geben diese Informationen
unveraendert an Sie weiter.
Die Virtualisierungs Software VMware erlaubt virtuelle Systeme auf einem
sog. VMware Server zu betreiben. Benutzer koennen sich mit VMware Client
Software zu dem Server verbinden und die virtuellen Systeme benutzen,
als ob sie lokal waeren. Die Verbindung zum Server wird per SSL
geschuetzt.
CVE-2006-5990 - VMware Client ueberprueft nicht Zertifkat des Servers
Die VMware VirtualCenter Client Software ueberprueft bei Verbindungen
per SSL zum Server nicht dessen Zertifikat. Ein entfernter Angreifer
kann dadurch die Verbindung des Benutzers abfangen, zum tatsaechlichen
Server weiterleiten und dabei saemtlichen Verkehr mitlesen oder auch
manipulieren (Man in the Middle Angriff). Mit diesem Update ist die
Ueberpruefung des Server-Zertifikats moeglich, aber sie muss erst
aktiviert werden. Der Hersteller gibt naehere Informationen dazu:
http://kb.vmware.com/vmtnkb/search.do?cmd=displayKC&docType=kc&externalId=4646606&sliceId=SAL_Public
Betroffen sind die folgenden Software Pakete und Plattformen:
VMware VirtualCenter Client 2.x vor 2.0.1 mit Patch 1 (Build 33643)
VMware VirtualCenter Client 1.4.x vor 1.4.1 mit Patch 1 (Build 33425)
Alle unterstuetzten Plattformen
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://www.securityfocus.com/archive/1/452275
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2006-0010
Synopsis: SSL sessions not authenticated by VC Clients
Patch URL:http://www.vmware.com/download/vi/vc-201-200611-patch.html
Patch URL:http://www.vmware.com/download/vc/vc-141-200611-patch.html
Knowledge base URL:http://kb.vmware.com/kb/4646606
Issue date: 2006-11-21
Updated on: 2006-11-21
CVE-2006-5990
- - -------------------------------------------------------------------
1. Summary:
VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and
1.4.x before 1.4.1 Patch 1 (Build 33425), does not verify the server's X.509
certificate when creating an SSL session, which allows remote malicious servers
to spoof valid servers via a man-in-the-middle attack
2. Relevant releases:
VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643)
VMware VirtualCenter client 1.4.x before 1.4.1 Patch 1 (Build 33425)
3. Problem description:
To ensure a secure channel of communication, you must be sure that any
communication is with "trusted" sites whose identity you can be sure of. Both
the client and server need certificates from a mutually-trusted Certificate
Authority (CA).
VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an issue
with server-certificate verification by VirtualCenter clients during the
initial SSL handshake. Specifically, the x.509 certificate presented by a
server to a client at the beginning of an SSL session is not verified.
VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve this issue
for Windows client hosts.
However, certificate verification is not enabled by default for the clients.
After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter 1.4.1 Patch 1,
you must specifically enable server-certificate verification on the Windows
client hosts.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned
the name CVE-2006-5990 to this issue.
4. Solution:
Note that installing the updated software does not, by default, enable
authentication. For information about how to enable this new optional
capability, see Knowledge Base (KB) article 4646606, "Enabling Server-
Certificate Verification for Virtual Infrastructure Clients."
http://kb.vmware.com/kb/4646606
Client hosts include:
* VirtualCenter Server host, which operates as a client to each of the
servers that it manages;
VirtualCenter Server 2.x:
* Virtual Infrastructure Client (VI Client, or VIC), client software that
lets you connect to and manage ESX Server hosts directly, or through a
VirtualCenter Server host;
VirtualCenter Server 1.x:
* VirtualCenter Client (VC Client), client software that lets you connect
to and manage ESX Server 2.x hosts through a VirtualCenter Server host
(1.x version).
5. References:
http://www.vmware.com/download/vi/vc-201-200611-patch.html
http://www.vmware.com/download/vc/vc-141-200611-patch.html
http://kb.vmware.com/kb/4646606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5990
6. Contact:
http://www.vmware.com/security
VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html
E-mail: security@xxxxxxxxxx
- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)
mQGiBETOvBsRBACgKExi0wcncPksfT/c/HpYo8Sesdu8lujOlscso83UQplhFfR9
4wbYUdxpLOmCSmG2jz/Pd7gLADXbZUbF8pU6cKouU3/J7h2y3+uRv5pWUkCtzoxJ
t5JWJix85efWaNvvz4dsk1jWirJebE1lTNmfBB0Oj2AFlo3WlkWcsL52UwCgxyzX
nZCOejYzdYtgaZKEAr6OvaUD+gPyg0yDlhAMD6taCPLq+ZlMvpEnG5iFGhlY0CT9
UCyKbZUbPUQ2iknJwctcZWeFcxayeKDMa8QG8JdP3drmIaMWAYO40lKLC+2u0Bwm
hlZG6fmJktqCtQ/ELm7C+aL2fAma1bPOSieUPAIVv32kBErE+FtWEWrByrI7M9aB
bWQlA/4qbPDaKdWrg6wDWg0mLEs2MxnzXplngsYbjIrEjVVyJd71qHxn1MhdoskA
Q58MLNK5XOI9yFyZBnKoAKyhTe+zM6Pk2Sv7XoCuo+D1P4GTWNSy+AFrsMiUGM60
XW+3QpBXTeymbRVzlIG9Ve9rRLNtz7Pjhe0q5qr0MAUMAOka4rRXVk13YXJlLCBJ
bmMuIC0tIFNlY3VyaXR5IEFsZXJ0IChSZXBsYWNlcyAweEZCNDZENzkzKSA8dm13
YXJlLXNlY3VyaXR5LWFsZXJ0QHZtd2FyZS5jb20+iGYEExECACYFAkTOvBsCGyMF
CQG4lNYGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRDoqNCHLak+aXjOAJ9RqJqi
gwQ78x++Ls6h+7aMEPdKGQCfZOlxHsxuNt0YiG0FuQhbRVUU8DCIRgQQEQIABgUC
RM6+qwAKCRAuxkut+0bXkxtxAJ9JtI2KU9DMnigAEcqJNHmTc/3YqgCgwVNki2Vy
I0b02VSgW9WmalSS8X65Ag0ERM68JhAIAIM+EzWb/xesC6PS2hz+2bLSDn8dEIyz
B0hYSfctm+fNtU4n5lfLvAPdoPKOqDQfvJSk5SG6ImGppcTfubCFcyshbNcruj1b
F702dTmqBVfmKlUFv9PUQNm6ZVSM6kNoFhuUwXayZ2P8x4u2WepZmRXPIWLnd/Hr
AWRZOGYJ0RKG9UV74+Yx1xBYUIjYooKUJbXEY4ry0pTUeSpPcOhTm4jTsVaghsCf
2hM2tCRh0TmmVL6qUTsPbIYPdqDacjHkmG7d9/+vM580GlYLycTKppTs1zBItL9Z
gXxl/3XQvSxrwYuy/N+a5k86bSoitl6hdH2ZoGXbgUH53Y8n1nOhY78AAwUH/2UH
NlHFhZcdPtO1lGeWmN7tPO7jCD0Yb5wpE+gs35f3Sb4QXvkjd1DpZ0e5oHYLl68g
LDh1PNMTruSq4F0ke3XdfZPXVjN+R5OjRssmvwcT3U+LeB1KUfWmGCZxXiXOPbLY
s9MwoLuPi3guFNuBtcPBS86CPyN3HBfwBC+XahO98guhoAOFKysF/GVeyyrrPmgW
GcNV9A8uWkPjNB9pOFK4XzFc/4FGUvpJ+cDTauGCyNpvStgErm2WAHrGpiKJyi4R
u6SWJ+A7bA85+cjlToqSMG8jALQrzKKfpTERZsCSxq0hdAB771ND41opNTEw2z+N
h7s6+G171oBWtpKolCqITwQYEQIADwUCRM68JgIbDAUJAbiU1gAKCRDoqNCHLak+
aWTeAKCJxLYg7oqyc2ZIgO5eM+wSdzzGWwCgoG9SvQ+SnBAbuSTeyoqiB95hCOA=
=Ghmi
- - - -----END PGP PUBLIC KEY BLOCK-----
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFR+7s6KjQhy2pPmkRArtXAJ4wYbdDwhTJsS9USsjD1RuPoAnRTwCeNnsB
4458eYmwDtxPxWK6NQi/Ly4=
=ZYZA
- - -----END PGP SIGNATURE-----
Copyright 2006 VMware Inc. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFY4AZ6KjQhy2pPmkRAsIaAKCQaZTN1Z90pFdRWXcjhVqbuegDlACgi9o+
3zyBHpWhFw8Tn0203DhJmr8=
=xqlq
- -----END PGP SIGNATURE-----
- --
Dipl. Inform. Klaus Moeller (CSIRT), DFN-CERT Services GmbH
https://www.dfn-cert.de/, +49-40-808077-555
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRWcD+vBT2+ukQ5RFAQE0PAf9G24qHtKu0D8XiUwfqUab9oYE/+OJOV3V
iOudKb8REIL+OPcOf3H73csvqXRizZeXSlemyMLna7YifhttiD2wY6ZqQgw37NLK
42X3EIPxg4TA+05AsBBzviNfSWfMJuaDBHjVu+HMhtnnTFq8TuYuThXxyBVHOhk8
AZK0Qvvqb2r2Ys3YkLqpDYMoUNnr2a0rPmeqiWwovlsrOrPco989vzz2izwyl+cY
QWNnq0m1RrFkvb6sotRWcvO14SFgN/pTIN813c9cGR6sY6w0SY7EGMTnH7qNmG6P
/jznfKF/yyB7j3sKn7uTlCx4bvf4hq8pRdw3kT6sHNFyVHyGPy+MHQ==
=Zzw2
-----END PGP SIGNATURE-----