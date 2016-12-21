News

VMware removes hard-coded root access key from vSphere Data Protection

The company also fixed a stored cross-site scripting flaw in ESXi

|

Romania Correspondent, IDG News Service |

Privacy Policy, Data Security, Encrypted, Password
Credit: Pixabay
More like this

VMware has released a hotfix for vSphere Data Protection (VDP) to change a hard-coded SSH key that could allow remote attackers to gain root access to the virtual appliance.

VDP is a disk-based backup and recovery product that runs as an open virtual appliance (OVA). It integrates with the VMware vCenter Server and provides centralized management of backup jobs for up to 100 virtual machines.

According to a VMware support article, the vSphere Data Protection (VDP) appliance contains a static SSH private key with a known password. This key allows interoperability with EMC Avamar, a deduplication backup and recovery software solution, and is pre-configured on the VDP as an AuthorizedKey.

"An attacker with access to the internal network may abuse this to access the appliance with root privileges and further to perform a complete compromise," VMware said.

The company rates this vulnerability as critical and developed a hotfix that can be copied and executed on the appliance to change the default SSH keys and set a new password.

Developing devices with hard-coded access credentials that users can't change is a serious security weakness. Unfortunately, this was common practice in the past and vendors have been trying to clean up such mistakes from their devices for the past few years.

On Tuesday, VMware also fixed a stored cross-site scripting vulnerability in its vSphere Hypervisor (ESXi) product. The flaw is rated as important.

"The issue can be introduced by an attacker that has permission to manage virtual machines through ESXi Host Client or by tricking the vSphere administrator to import a specially crafted VM," the company said in an advisory. "The issue may be triggered on the system from where ESXi Host Client is used to manage the specially crafted VM."

VMware released security fixes for ESXi 5.5 and 6.0 to fix this flaw and advises users not to import VMs from untrusted sources.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Related:

Lucian Constantin is an IDG News Service correspondent. He writes about information security, privacy, and data protection.

Review: Microsoft Teams tries to do Slack one better
Shop Tech Products at Amazon
You Might Like
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.
What Readers Like
malware spyware
Cortana: The spy in Windows 10

Cortana, Windows 10’s built-in virtual assistant, is both really cool and really creepy.

Google Keep
Why you should start using Google Keep right away

Services like Keep, Evernote and Microsoft OneNote are often called "note-taking apps." But they've...

ibm pc dos 1.0 screenshot
Say goodbye to the MS-DOS command prompt

It had a good 36-year run, but its day is done.

BrandPosts
Learn more
Popular Resources
Top Stories
intel micron fabrication plant tour wet process
3D NAND set to dominate SSDs, kill off traditional flash

The pace at which the storage industry is adopting denser and faster 3D NAND has quickened; it is...

Video: IDG Editors predict tech trends for 2017

Top editors from IDG Enterprise publications Computerworld, Network World, CIO and CSO chime in with...

virtual reality
Virtual reality is actually here

The applications of VR extend into nearly every sphere of life.

bold predictions ss primary.jpg
Tech execs' boldest predictions for 2017 and beyond

Self-healing software? Ubiquitous wearables? We asked senior-level IT pros to predict what’s in store...