lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <456382F6.3040402@vmware.com>
Date: Tue, 21 Nov 2006 14:51:34 -0800
From: VMware Security team <security@...are.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: VMSA-2006-0010 - SSL sessions not authenticated by VC Clients

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2006-0010
Synopsis:          SSL sessions not authenticated by VC Clients
Patch URL:http://www.vmware.com/download/vi/vc-201-200611-patch.html
Patch URL:http://www.vmware.com/download/vc/vc-141-200611-patch.html
Knowledge base URL:http://kb.vmware.com/kb/4646606
Issue date:        2006-11-21
Updated on:        2006-11-21
CVE number:        CVE-2006-5990
- - -------------------------------------------------------------------

1. Summary:

VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and
1.4.x before 1.4.1 Patch 1 (Build 33425), does not verify the server's
X.509 certificate when creating an SSL session, which allows remote
malicious servers to spoof valid servers via a man-in-the-middle attack

2. Relevant releases:

VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643)
VMware VirtualCenter client 1.4.x before 1.4.1 Patch 1 (Build 33425)

3. Problem description:

To ensure a secure channel of communication, you must be sure that any
communication is with "trusted" sites whose identity you can be sure of.
 Both the client and server need certificates from a mutually-trusted
Certificate Authority (CA).

VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an
issue with server-certificate verification by VirtualCenter clients
during the initial SSL handshake. Specifically, the x.509 certificate
presented by a server to a client at the beginning of an SSL session is
not verified.  VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch
1 resolve this issue for Windows client hosts.

However, certificate verification is not enabled by default for the
clients. After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter
1.4.1 Patch 1, you must specifically enable server-certificate
verification on the Windows client hosts.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2006-5990 to this issue.

4. Solution:

Note that installing the updated software does not, by default, enable
authentication. For information about how to enable this new optional
capability, see Knowledge Base (KB) article 4646606, "Enabling Server-
Certificate Verification for Virtual Infrastructure Clients."
http://kb.vmware.com/kb/4646606

Client hosts include:
    * VirtualCenter Server host, which operates as a client to each of
      the servers that it manages;

VirtualCenter Server 2.x:
    * Virtual Infrastructure Client (VI Client, or VIC), client software
      that lets you connect to and manage ESX Server hosts directly, or
      through a VirtualCenter Server host;

VirtualCenter Server 1.x:
    * VirtualCenter Client (VC Client), client software that lets you
      connect to and manage ESX Server 2.x hosts through a VirtualCenter
      Server host (1.x version).

5. References:

http://www.vmware.com/download/vi/vc-201-200611-patch.html
http://www.vmware.com/download/vc/vc-141-200611-patch.html
http://kb.vmware.com/kb/4646606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5990

6. Contact:

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail:  security@...are.com

Copyright 2006 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFY4Lz6KjQhy2pPmkRCDZWAJ4jttidvlKOh0r5lUjxEDyEC5pgeACeKjmJ
5cb1Sr9XdCvxVuMh7UKNF94=
=iEXc
-----END PGP SIGNATURE-----

View attachment "VMSA-2006-0010.txt.asc" of type "text/plain" (5749 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ