Multiple vulnerabilities in vSphere Data Protection (VDP)

Published: 2018-01-02 20:35:03
Severity High
Patch available YES
Number of vulnerabilities 3
CVSSv2 7.4 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
6.7 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
5 (AV:N/AC:L/Au:S/C:C/I:N/A:N/E:U/RL:OF/RC:C)
CVSSv3 8.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
8.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
6.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE ID CVE-2017-15548
CVE-2017-15549
CVE-2017-15550
CWE ID CWE-287
CWE-434
CWE-22
Exploitation vector Network
Public exploit Not available
Vulnerable software vSphere Data Protection
Vulnerable software versions vSphere Data Protection 5.8.4
vSphere Data Protection 5.8.3
vSphere Data Protection 5.8.2
Show more
Vendor URL VMware, Inc
Advisory type Public

Security Advisory

1) Improper authentication

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to undisclosed error, which can be used to bypass authentication and gain unauthorized root access to the affected system.

Remediation

Install the latest version 6.0.7 or 6.1.6.

External links

https://www.vmware.com/security/advisories/VMSA-2018-0001.html

2) Arbitrary file upload

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to an error, which allows a remote authenticated user upload files with any extension to arbitrary location on the system. A remote authenticated low privileged user can execute arbitrary code on the target system.

Remediation

Install the latest version 6.0.7 or 6.1.6.

External links

https://www.vmware.com/security/advisories/VMSA-2018-0001.html

3) Path traversal

Description

The vulnerability allows a remote attacker to view contents of arbitrary file.

The vulnerability exists due to insufficient sanitization of the user-supplied data. A remote authenticated attacker with low privileges can use path traversal characters (e.g. "../") to view contents of arbitrary file on the filesystem.

Remediation

Install the latest version 6.0.7 or 6.1.6.

External links

https://www.vmware.com/security/advisories/VMSA-2018-0001.html

Back to List