VMSA-2006-0010 - SSL sessions not authenticated by VC Clients
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2006-0010
Synopsis: SSL sessions not authenticated by VC Clients
Patch URL:http://www.vmware.com/download/vi/vc-201-200611-patch.html
Patch URL:http://www.vmware.com/download/vc/vc-141-200611-patch.html
Knowledge base URL:http://kb.vmware.com/kb/4646606
Issue date: 2006-11-21
Updated on: 2006-11-21
CVE number: CVE-2006-5990
- - -------------------------------------------------------------------
1. Summary:
VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and
1.4.x before 1.4.1 Patch 1 (Build 33425), does not verify the server's
X.509 certificate when creating an SSL session, which allows remote
malicious servers to spoof valid servers via a man-in-the-middle attack
2. Relevant releases:
VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643)
VMware VirtualCenter client 1.4.x before 1.4.1 Patch 1 (Build 33425)
3. Problem description:
To ensure a secure channel of communication, you must be sure that any
communication is with "trusted" sites whose identity you can be sure of.
Both the client and server need certificates from a mutually-trusted
Certificate Authority (CA).
VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an
issue with server-certificate verification by VirtualCenter clients
during the initial SSL handshake. Specifically, the x.509 certificate
presented by a server to a client at the beginning of an SSL session is
not verified. VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch
1 resolve this issue for Windows client hosts.
However, certificate verification is not enabled by default for the
clients. After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter
1.4.1 Patch 1, you must specifically enable server-certificate
verification on the Windows client hosts.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the name CVE-2006-5990 to this issue.
4. Solution:
Note that installing the updated software does not, by default, enable
authentication. For information about how to enable this new optional
capability, see Knowledge Base (KB) article 4646606, "Enabling Server-
Certificate Verification for Virtual Infrastructure Clients."
http://kb.vmware.com/kb/4646606
Client hosts include:
* VirtualCenter Server host, which operates as a client to each of
the servers that it manages;
VirtualCenter Server 2.x:
* Virtual Infrastructure Client (VI Client, or VIC), client software
that lets you connect to and manage ESX Server hosts directly, or
through a VirtualCenter Server host;
VirtualCenter Server 1.x:
* VirtualCenter Client (VC Client), client software that lets you
connect to and manage ESX Server 2.x hosts through a VirtualCenter
Server host (1.x version).
5. References:
http://www.vmware.com/download/vi/vc-201-200611-patch.html
http://www.vmware.com/download/vc/vc-141-200611-patch.html
http://kb.vmware.com/kb/4646606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5990
6. Contact:
http://www.vmware.com/security
VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html
E-mail: security@xxxxxxxxxx
Copyright 2006 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFFY4Lz6KjQhy2pPmkRCDZWAJ4jttidvlKOh0r5lUjxEDyEC5pgeACeKjmJ
5cb1Sr9XdCvxVuMh7UKNF94=
=iEXc
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2006-0010
Synopsis: SSL sessions not authenticated by VC Clients
Patch URL:http://www.vmware.com/download/vi/vc-201-200611-patch.html
Patch URL:http://www.vmware.com/download/vc/vc-141-200611-patch.html
Knowledge base URL:http://kb.vmware.com/kb/4646606
Issue date: 2006-11-21
Updated on: 2006-11-21
CVE-2006-5990
- -------------------------------------------------------------------
1. Summary:
VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643) and
1.4.x before 1.4.1 Patch 1 (Build 33425), does not verify the server's X.509
certificate when creating an SSL session, which allows remote malicious servers
to spoof valid servers via a man-in-the-middle attack
2. Relevant releases:
VMware VirtualCenter client 2.x before 2.0.1 Patch 1 (Build 33643)
VMware VirtualCenter client 1.4.x before 1.4.1 Patch 1 (Build 33425)
3. Problem description:
To ensure a secure channel of communication, you must be sure that any
communication is with "trusted" sites whose identity you can be sure of. Both
the client and server need certificates from a mutually-trusted Certificate
Authority (CA).
VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve an issue
with server-certificate verification by VirtualCenter clients during the
initial SSL handshake. Specifically, the x.509 certificate presented by a
server to a client at the beginning of an SSL session is not verified.
VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch 1 resolve this issue
for Windows client hosts.
However, certificate verification is not enabled by default for the clients.
After installing VirtualCenter 2.0.1 Patch 1 or VirtualCenter 1.4.1 Patch 1,
you must specifically enable server-certificate verification on the Windows
client hosts.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned
the name CVE-2006-5990 to this issue.
4. Solution:
Note that installing the updated software does not, by default, enable
authentication. For information about how to enable this new optional
capability, see Knowledge Base (KB) article 4646606, "Enabling Server-
Certificate Verification for Virtual Infrastructure Clients."
http://kb.vmware.com/kb/4646606
Client hosts include:
* VirtualCenter Server host, which operates as a client to each of the
servers that it manages;
VirtualCenter Server 2.x:
* Virtual Infrastructure Client (VI Client, or VIC), client software that
lets you connect to and manage ESX Server hosts directly, or through a
VirtualCenter Server host;
VirtualCenter Server 1.x:
* VirtualCenter Client (VC Client), client software that lets you connect
to and manage ESX Server 2.x hosts through a VirtualCenter Server host
(1.x version).
5. References:
http://www.vmware.com/download/vi/vc-201-200611-patch.html
http://www.vmware.com/download/vc/vc-141-200611-patch.html
http://kb.vmware.com/kb/4646606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5990
6. Contact:
http://www.vmware.com/security
VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html
E-mail: security@xxxxxxxxxx
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)
mQGiBETOvBsRBACgKExi0wcncPksfT/c/HpYo8Sesdu8lujOlscso83UQplhFfR9
4wbYUdxpLOmCSmG2jz/Pd7gLADXbZUbF8pU6cKouU3/J7h2y3+uRv5pWUkCtzoxJ
t5JWJix85efWaNvvz4dsk1jWirJebE1lTNmfBB0Oj2AFlo3WlkWcsL52UwCgxyzX
nZCOejYzdYtgaZKEAr6OvaUD+gPyg0yDlhAMD6taCPLq+ZlMvpEnG5iFGhlY0CT9
UCyKbZUbPUQ2iknJwctcZWeFcxayeKDMa8QG8JdP3drmIaMWAYO40lKLC+2u0Bwm
hlZG6fmJktqCtQ/ELm7C+aL2fAma1bPOSieUPAIVv32kBErE+FtWEWrByrI7M9aB
bWQlA/4qbPDaKdWrg6wDWg0mLEs2MxnzXplngsYbjIrEjVVyJd71qHxn1MhdoskA
Q58MLNK5XOI9yFyZBnKoAKyhTe+zM6Pk2Sv7XoCuo+D1P4GTWNSy+AFrsMiUGM60
XW+3QpBXTeymbRVzlIG9Ve9rRLNtz7Pjhe0q5qr0MAUMAOka4rRXVk13YXJlLCBJ
bmMuIC0tIFNlY3VyaXR5IEFsZXJ0IChSZXBsYWNlcyAweEZCNDZENzkzKSA8dm13
YXJlLXNlY3VyaXR5LWFsZXJ0QHZtd2FyZS5jb20+iGYEExECACYFAkTOvBsCGyMF
CQG4lNYGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRDoqNCHLak+aXjOAJ9RqJqi
gwQ78x++Ls6h+7aMEPdKGQCfZOlxHsxuNt0YiG0FuQhbRVUU8DCIRgQQEQIABgUC
RM6+qwAKCRAuxkut+0bXkxtxAJ9JtI2KU9DMnigAEcqJNHmTc/3YqgCgwVNki2Vy
I0b02VSgW9WmalSS8X65Ag0ERM68JhAIAIM+EzWb/xesC6PS2hz+2bLSDn8dEIyz
B0hYSfctm+fNtU4n5lfLvAPdoPKOqDQfvJSk5SG6ImGppcTfubCFcyshbNcruj1b
F702dTmqBVfmKlUFv9PUQNm6ZVSM6kNoFhuUwXayZ2P8x4u2WepZmRXPIWLnd/Hr
AWRZOGYJ0RKG9UV74+Yx1xBYUIjYooKUJbXEY4ry0pTUeSpPcOhTm4jTsVaghsCf
2hM2tCRh0TmmVL6qUTsPbIYPdqDacjHkmG7d9/+vM580GlYLycTKppTs1zBItL9Z
gXxl/3XQvSxrwYuy/N+a5k86bSoitl6hdH2ZoGXbgUH53Y8n1nOhY78AAwUH/2UH
NlHFhZcdPtO1lGeWmN7tPO7jCD0Yb5wpE+gs35f3Sb4QXvkjd1DpZ0e5oHYLl68g
LDh1PNMTruSq4F0ke3XdfZPXVjN+R5OjRssmvwcT3U+LeB1KUfWmGCZxXiXOPbLY
s9MwoLuPi3guFNuBtcPBS86CPyN3HBfwBC+XahO98guhoAOFKysF/GVeyyrrPmgW
GcNV9A8uWkPjNB9pOFK4XzFc/4FGUvpJ+cDTauGCyNpvStgErm2WAHrGpiKJyi4R
u6SWJ+A7bA85+cjlToqSMG8jALQrzKKfpTERZsCSxq0hdAB771ND41opNTEw2z+N
h7s6+G171oBWtpKolCqITwQYEQIADwUCRM68JgIbDAUJAbiU1gAKCRDoqNCHLak+
aWTeAKCJxLYg7oqyc2ZIgO5eM+wSdzzGWwCgoG9SvQ+SnBAbuSTeyoqiB95hCOA=
=Ghmi
- - -----END PGP PUBLIC KEY BLOCK-----
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFR+7s6KjQhy2pPmkRArtXAJ4wYbdDwhTJsS9USsjD1RuPoAnRTwCeNnsB
4458eYmwDtxPxWK6NQi/Ly4=
=ZYZA
- -----END PGP SIGNATURE-----
Copyright 2006 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFY4AZ6KjQhy2pPmkRAsIaAKCQaZTN1Z90pFdRWXcjhVqbuegDlACgi9o+
3zyBHpWhFw8Tn0203DhJmr8=
=xqlq
-----END PGP SIGNATURE-----