VMware patches 'critical' vulnerability

By Brandon Butler, Network World |  Security, VMware, VMware View

VMware has issued a patch for its VMware View product that fixes a security vulnerability that could allow an unauthorized user to access system files.

"VMware View contains a critical directory traversal vulnerability that allows an unauthenticated remote attacker to retrieve arbitrary files from affected View Servers," VMware posted on a security advisory alerting customers to the issue. "Exploitation of this issue may expose sensitive information stored on the server." VMware's update to VMware View is available for free to license holders of the product and can be downloaded here.

FREE SECURITY: 15 (Free!) Security tools you should try 

VMWARE STRATEGY: CTO: Adapt, enable choice, or die 

Digital Defense, a Texas-based risk auditing firm found the vulnerability this fall and alerted VMware of the issue in October. The issue is confined to VMware View, which is a product that allows organizations to grant access to certain virtual machines. It's typically used by larger organizations for demonstrating a product, for example, says Javier Castro, a senior vulnerability researcher at DDI.

While conducting a series of vulnerability tests on VMware View systems, DDI found that a guest user who had been granted access to specific files on a VM could prompt the VM to retrieve files that the user should not have access to. Basically external users had access to internal network files. This means a potential intruder could access file systems on a web server to access sensitive hashed passwords, for example. DDI found the directory traversal flaw in both a connection server and a security server running VMware view.

Originally published on Network World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question