VMware ESX 4.0 Cross-Site Scripting Vulnerability

A security advisory released today by leading Australian information security consultancy StratSec warns of a security weakness in a third party component used by many software companies including VMware, potentially allowing the theft of user credentials.

The vendor of the third party component – WebWorks – worked with VMware and stratsec for approximately six months to develop the necessary patches to minimise the security risk to their clients.

During the course of our research at stratsec (www.stratsec.net) we have identified several cross-site scripting (XSS) vulnerabilities in the latest version of the VMware Infrastructure Web Access system used in several VMware products. After subsequent discussion with VMware, the issue was identified to be present in a third party component utilised by VMware, namely WebWorks Help.

Interesting is that VMware was notified on 13/07/2009 and only now is releasing a bug fix.

In general cross-site scripting vulnerabilities allow the theft of credentials associated with the domain on which the XSS bug exists.

In this particular case an exploit would grant an attacker access to the VMware Infrastructure Web Access interface which can be used to access the console interface to any virtual machines which the user has access to, change networking modes for virtual network devices, create virtual machines, etc.

Congratulations to StratSec, a Australian owned security advisory company.

Affected Products:

  • VMware vCenter 4.0
  • VMware Server 2.0.2
  • VMware ESX 4.0
  • VMware Lab Manager (all)
  • VMware Stage Manager (all)

VMware Security Advisories (VMSA-2009-0017) – http://www.vmware.com/security/advisories/VMSA-2009-0017.html