NEW VMSA-2016-0024 vSphere Data Protection (VDP) updates address SSH Key-Based authentication issue

VMware Security Advisory

Advisory ID: VMSA-2016-0024

Severity:    Critical

Synopsis:    vSphere Data Protection (VDP) updates address SSH Key-Based

authentication issue

Issue date:  2016-12-20

Updated on:  2016-12-20 (Initial Advisory)

CVE number:  CVE-2016-7456

 

  1. Summary

 

vSphere Data Protection (VDP) updates address SSH key-based

authentication issue

 

  1. Relevant Products

 

vSphere Data Protection (VDP)

 

  1. Problem Description

 

  1. VDP SSH key-based authentication issue

 

VDP contains a private SSH key with a known password that is configured

to allow key-based authentication. Exploitation of this issue may allow

an unauthorized remote attacker to log into the appliance with root

privileges.

 

VMware would like to thank Marc Ströbel aka phroxvs from HvS-Consulting

for reporting this issue to VMware.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has

assigned the identifier CVE-2016-7456 to this issue.

 

Column 5 of the following table lists the action required to remediate

the vulnerability in each release, if a solution is available.

 

VMware      Product    Running            Replace with/     Mitigation/

Product     Version    on       Severity  Apply Patch       Workaround

==========  =========  =======  ========  ================  ==========

VDP         6.1.x      VA       Critical  KB2147069         None

VDP         6.0.x      VA       Critical  KB2147069         None

VDP         5.8.x      VA       Critical  KB2147069         None

VDP         5.5.x      VA       Critical  KB2147069         None

 

  1. Solution

 

Please review the patch/release notes for your product and version and

verify the checksum of your downloaded file.

 

vSphere Data Protection

Downloads and Documentation:

http://kb.vmware.com/kb/2147069

 

  1. References

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7456

 

– ————————————————————————–

 

  1. Change log

 

2016-12-20: VMSA-2016-0024

Initial security advisory in conjunction with the release of vSphere

Data Protection updates on 2016-12-20.


Created on December 20, 2016 by Rick Scherer

Posted under Alert.

This blog has 2,011 views.

Tags: , , , ,

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Comment

Name (required)

Email (required)

Website

Comments

More Blog Post