Network World - VMware has issued a patch for its VMware View product that fixes a security vulnerability that could allow an unauthorized user to access system files.
"VMware View contains a critical directory traversal vulnerability that allows an unauthenticated remote attacker to retrieve arbitrary files from affected View Servers," VMware posted on a security advisory alerting customers to the issue. "Exploitation of this issue may expose sensitive information stored on the server." VMware's update to VMware View is available for free to license holders of the product and can be downloaded here.
Digital Defense, a Texas-based risk auditing firm found the vulnerability this fall and alerted VMware of the issue in October. The issue is confined to VMware View, which is a product that allows organizations to grant access to certain virtual machines. It's typically used by larger organizations for demonstrating a product, for example, says Javier Castro, a senior vulnerability researcher at DDI.
While conducting a series of vulnerability tests on VMware View systems, DDI found that a guest user who had been granted access to specific files on a VM could prompt the VM to retrieve files that the user should not have access to. Basically external users had access to internal network files. This means a potential intruder could access file systems on a web server to access sensitive hashed passwords, for example. DDI found the directory traversal flaw in both a connection server and a security server running VMware view.
DDI runs a series of generic directory traversal checks on VMware systems and found this vulnerability by tying together various strings of prompts in subdirectories. Castro says VMware products are "juicy," because by the nature of virtualization, they provide access to a lot of virtual machines. Directory traversals seem to be a consistent area of interest for both hackers and vulnerability auditors. He adds that VMware seems to be getting better at auditing third-party tools in recent months to ensure any updates and patches of tools VMware uses in its products and services are reflected in updates from VMware.
Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW.
Read more about wide area network in Network World's Wide Area Network section.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cyberwarfare White Papers | Webcasts