Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15195
HistoryNov 22, 2006 - 12:00 a.m.

VMSA-2006-0010 - SSL sessions not authenticated by VC Clients

2006-11-2200:00:00
vulners.com
15
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

               VMware Security Advisory

Advisory ID: VMSA-2006-0010
Synopsis: SSL sessions not authenticated by VC Clients
Patch URL:http://www.vmware.com/download/vi/vc-201-200611-patch.html
Patch URL:http://www.vmware.com/download/vc/vc-141-200611-patch.html
Knowledge base URL:http://kb.vmware.com/kb/4646606
Issue date: 2006-11-21
Updated on: 2006-11-21
CVE number: CVE-2006-5990

  1. Summary:

VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and
1.4.x before 1.4.1 Patch 1 (Build 33425), does not verify the server's
X.509 certificate when creating an SSL session, which allows remote
malicious servers to spoof valid servers via a man-in-the-middle attack

  1. Relevant releases:

VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643)
VMware VirtualCenter client 1.4.x before 1.4.1 Patch 1 (Build 33425)

  1. Problem description:

To ensure a secure channel of communication, you must be sure that any
communication is with "trusted" sites whose identity you can be sure of.
Both the client and server need certificates from a mutually-trusted
Certificate Authority (CA).

VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an
issue with server-certificate verification by VirtualCenter clients
during the initial SSL handshake. Specifically, the x.509 certificate
presented by a server to a client at the beginning of an SSL session is
not verified. VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch
1 resolve this issue for Windows client hosts.

However, certificate verification is not enabled by default for the
clients. After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter
1.4.1 Patch 1, you must specifically enable server-certificate
verification on the Windows client hosts.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2006-5990 to this issue.

  1. Solution:

Note that installing the updated software does not, by default, enable
authentication. For information about how to enable this new optional
capability, see Knowledge Base (KB) article 4646606, "Enabling Server-
Certificate Verification for Virtual Infrastructure Clients."
http://kb.vmware.com/kb/4646606

Client hosts include:
* VirtualCenter Server host, which operates as a client to each of
the servers that it manages;

VirtualCenter Server 2.x:
* Virtual Infrastructure Client (VI Client, or VIC), client software
that lets you connect to and manage ESX Server hosts directly, or
through a VirtualCenter Server host;

VirtualCenter Server 1.x:
* VirtualCenter Client (VC Client), client software that lets you
connect to and manage ESX Server 2.x hosts through a VirtualCenter
Server host (1.x version).

  1. References:

http://www.vmware.com/download/vi/vc-201-200611-patch.html
http://www.vmware.com/download/vc/vc-141-200611-patch.html
http://kb.vmware.com/kb/4646606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5990

  1. Contact:

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail: [email protected]

Copyright 2006 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFY4Lz6KjQhy2pPmkRCDZWAJ4jttidvlKOh0r5lUjxEDyEC5pgeACeKjmJ
5cb1Sr9XdCvxVuMh7UKNF94=
=iEXc
-----END PGP SIGNATURE-----

Related

cve 1
cve
cve
CVE-2006-5990
2006-11-21 01:07:00
JSON
Related for SECURITYVULNS:DOC:15195
cve1