Advisory ID VMSA-2019-0013.1
Advisory Severity Important
CVSSv3 Range 4.2-7.7
Synopsis VMware ESXi and vCenter Server updates address command injection and information disclosure vulnerabilities. (CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534)
Issue Date 2019-09-16
Updated On 2019-09-19
CVE(s) CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534
1. Impacted Products
  • VMware vSphere ESXi (ESXi)
  • VMware vCenter Server (vCenter)
2. Introduction
ESXi and vCenter updates address multiple vulnerabilities.
  • CVE-2017-16544: VMware ESXi command injection vulnerability
  • CVE-2019-5531: ESXi Host Client, vCenter vSphere Client and vCenter vSphere Web Client information disclosure vulnerability
  • CVE-2019-5532: VMware vCenter Server information disclosure vulnerability
  • CVE-2019-5534:  VMware vCenter Server Information disclosure vulnerability in vAppConfig properties
 
3a. VMware ESXi 'busybox' command injection vulnerability- CVE-2017-16544

Description:

ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.

 

Known Attack Vectors:

An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file. 

 

Resolution:

To remediate CVE-2017-16544 update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Zhouyuan Yang of Fortinet's FortiGuard Labs for notifying about this issue to us.

 

Response Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
ESXi
6.7
Any
CVE-2017-16544
6.7 Moderate
ESXi670-201904101-SG
None None
ESXi
6.5
Any
CVE-2017-16544
6.7
Moderate
ESXi650-201907101-SG
None
None
ESXi 6.0 Any CVE-2017-16544 6.7 Moderate ESXi600-201909101-SG None None
3b. ESXi Host Client, vCenter vSphere Client and vCenter vSphere Web Client information disclosure vulnerability- CVE-2019-5531

Description:

An information disclosure vulnerability in clients arising from insufficient session expiration. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.2.


This issue affects:

  • ESXi VMware Host Client (6.7, 6.5, 6.0).
  • vCenter Server vSphere Client (HTML5) (6.7, 6.5).
  • vCenter Server vSphere Web Client (FLEX/Flash) (6.7, 6.5, 6.0).

Known Attack Vectors:

An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.

 

Resolution:

To remediate CVE-2019-5531 update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Dejan Zelic for reporting this issue to us.

 

Response Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
ESXi
6.7
Any
CVE-2019-5531
4.2
Moderate
ESXi670-201810101-SG
None None
ESXi
6.5
Any
CVE-2019-5531
4.2 Moderate
ESXi650-201811102-SG
None
None
ESXi 6.0 Any CVE-2019-5531
4.2
Moderate ESXi600-201807103-SG
None None
vCenter 6.7 Any CVE-2019-5531 4.2 Moderate 6.7 U1b None None
vCenter 6.5 Any CVE-2019-5531 4.2 Moderate 6.5 U2b None None
vCenter 6.0 Any CVE-2019-5531 4.2 Moderate 6.0 U3j None None
3c. VMware vCenter Server information disclosure vulnerability- CVE-2019-5532

Description:

VMware vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7.

 

Known Attack Vectors:

A malicious user with access to the log files containing vCenter OVF-properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).

 

Resolution:

To remediate CVE-2019-5532, update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

 If the password of the deployment account (typically root) is changed on the virtual machine after deployment of the OVF then the credentials stored in the vCenter OVF-properties will no longer be valid and cannot be used to access the virtual machine.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Ola Beyioku for reporting this issue to us.

 

Response Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
vCenter 6.7 Any CVE-2019-5532
7.7
Important
6.7 U3
See above
None
vCenter 6.5 Any CVE-2019-5532
7.7
Important
6.5 U3
See above
None
vCenter 6.0 Any CVE-2019-5532
7.7
Important
6.0 U3j See above
None
3d. Information disclosure vulnerability in vAppConfig properties - CVE-2019-5534

Description:

Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7.

 

Known Attack Vectors:

A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).

 

Resolution:

To mitigate CVE-2019-5534 upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

The information stored in vAppConfig properties is captured at the time of deployment. If the password of the deployment account (typically root) is changed on the virtual machine after deployment of the OVF then the credentials stored in the vAppConfig properties will no longer be valid and cannot be used to access the virtual machine.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Rich Browne of F5 Networks for reporting this issue to us.

 

Response Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
vCenter 6.7 Any CVE-2019-5534
7.7
Important
6.7 U3
See above None
vCenter 6.5 Any CVE-2019-5534
7.7
Important
6.5 U3
See above
None
vCenter 6.0 Any CVE-2019-5534
7.7
Important
6.0 U3j See above
None

4. References

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5532
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5534

 

Fixed Version(s) and Release Notes:

 

ESXi 6.7 U3
Downloads and Documentation:

https://my.vmware.com/web/vmware/details?productId=742&downloadGroup=ESXI67U3
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u3-release-notes.html

 

ESXi 6.7 U2
Downloads and Documentation:

https://my.vmware.com/group/vmware/details?productId=742&downloadGroup=ESXI67U2
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u2-release-notes.html

 

ESXi 6.7 U1

Downloads and Documentation:

https://my.vmware.com/web/vmware/details?downloadGroup=ESXI67U1&productId=742
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-671-release-notes.html

 

ESXi 6.5 U3
Downloads and Documentation:

https://my.vmware.com/web/vmware/details?downloadGroup=ESXI65U3&productId=614
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-esxi-65u3-release-notes.html

 

ESXi 6.5, Patch Release ESXi650-201806001
Downloads and Documentation:

https://my.vmware.com/group/vmware/patch
https://kb.vmware.com/s/article/55912

 

ESXi 6.0, Patch Release ESXi600-201807001 
Downloads and Documentation:

https://my.vmware.com/group/vmware/patch
https://kb.vmware.com/s/article/53627

 

ESXi 6.0, Patch Release ESXi600-201909001
Downloads and Documentation:

https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201909001.html

 

vCenter 6.7 U1b
Downloads and Documentation:

https://my.vmware.com/group/vmware/details?downloadGroup=VC67U1B&productId=742
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u1b-release-notes.html

 

vCenter 6.5 U2b

Downloads and Documentation:

https://my.vmware.com/group/vmware/details?downloadGroup=VC65U2B&productId=614&rPId=24466
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u2b-release-notes.html

 

vCenter 6.5 U3
Downloads and Documentation:

https://my.vmware.com/web/vmware/details?productId=614&downloadGroup=VC65U3
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3-release-notes.html

 

vCenter 6.0 U3j
Downloads and Documentation:

https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3J&productId=491
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3j-release-notes.html

 

5. Change log
 

2019-09-16: VMSA-2019-0013 Initial security advisory detailing remediation information for the VMware vSphere ESXi and VMware vCenter Server 6.7, 6.5 and 6.0 release lines.

 

2019-09-19: VMSA-2019-0013.1 Updated security advisory to reflect the correct ESXi patches for issue 3(b).

6. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2019 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: