VMware vCenter Server 6.0 / 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0013)

high Nessus Plugin ID 129503

Synopsis

A virtualization management application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of VMware vCenter Server installed on the remote host is 6.0 prior to U3j, 6.5 prior to U3, or 6.7 prior to U3, and is, therefore, affected by the following vulnerabilities:

- An information disclosure vulnerability caused by insufficient session expiration. This allows an attacker with physical access or the ability to mimic a websocket connection to a user's browser to control a VM console after the user's session has expired or they have logged out. (CVE-2019-5531)

- An information disclosure vulnerability caused by plain-text logging of virtual machine credentials through OVF. This allows an attacker with access to the log files which contain the vCenter OVF-properties of a virtual machine deployed from an OVF to view the credentials used to deploy the OVF, which typically belong to the root account of the virtual machine.
(CVE-2019-5532)

- An information disclosure vulnerability in virtual machines deployed from an OVF which could expose login information via the virtual machine's vAppConfig properties. An attacker with access to query the vAppConfig properties of a virtual machine deployed from an OVF can view the credentials used to deploy the OVC, which typically belong to the root account of the virtual machine. (CVE-2019-5534) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to VMware vCenter Server 6.0 U3j, 6.5 U3, or 6.7 U3 or later.

See Also

https://www.vmware.com/security/advisories/VMSA-2019-0013.html

Plugin Details

Severity: High

ID: 129503

File Name: vmware_vcenter_vmsa-2019-0013.nasl

Version: 1.5

Type: remote

Family: Misc.

Published: 10/2/2019

Updated: 5/19/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2019-5531

CVSS v3

Risk Factor: High

Base Score: 7.7

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2019-5534

Vulnerability Information

CPE: cpe:/a:vmware:vcenter_server

Required KB Items: Host/VMware/vCenter, Host/VMware/version, Host/VMware/release

Exploit Ease: No known exploits are available

Patch Publication Date: 9/16/2019

Vulnerability Publication Date: 9/18/2019

Reference Information

CVE: CVE-2019-5531, CVE-2019-5532, CVE-2019-5534

IAVA: 2019-A-0344

VMSA: 2019-0013