VMware Patches DoS Vulnerability in Virtualization Software

A vulnerability in the VMware vSphere API was closed in a recent update by the virtualization technology vendor.

Virtualization software vendor VMware released an update this month to fix a security issue in its vSphere API.

The update patches a denial-of-service (DoS) vulnerability in ESX and ESXi, and was accompanied by several open-source security fixes for the ESX Service Console.

"The VMware vSphere API contains a denial-of-service vulnerability," the company explained in an advisory. "This issue allows an unauthenticated user to send a maliciously crafted API request and disable the host daemon. Exploitation of the issue would prevent management activities on the host but any virtual machines running on the host would be unaffected."

The advisory was issued Nov. 15.

The update impacts VMware ESXi 4.1 without patch ESXi410-201211401-SG and VMware ESX 4.1 without patches ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG, and ESX410-201211407-SG.

Virtualization is a prime target for breaches and attacks, especially at the management level, which is the easiest way to exploit a virtualized environment and get the "keys to the kingdom," said Eric Chiu, president and founder of virtualization security vendor HyTrust, in a statement.

"This really shows how vulnerabilities can be exploited, and how important it is to secure today's virtualization and cloud environments; after all, this is the new [operating system] of the data center and provides access to the virtual machines, the virtual network and mission-critical enterprise applications, and the virtualized storage resources as well,” Chiu said.

In addition to the API patch, VMware's update fixes issues in the ESX Service Console's expat, python, nspr and nss packages. This includes a patch for the ESX Service Console Netscape Portable Runtime and Network Security Services RPMs to versions nspr- and nss-, respectively, to resolve multiple security issues, including a certificate trust issue caused by a fraudulent DigiNotar root certificate.

The update comes after VMware warned customers earlier this month that more source code for its ESX hypervisor technology could become public after more code was leaked by a hacker. The source code dates back to 2004 and is associated with other code leaked on the Web in April, VMware Director of Platform Security Iain Mulholland said in a post on the VMware Security and Compliance blog. He did not indicate what risk the current release poses to customers.

"It is possible that more related files will be posted in the future," Mulholland wrote Nov. 4. "We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate. As a matter of best practices with respect to security, VMware strongly encourages all customers to apply the latest product updates and security patches made available for their specific environment."