VMware Fixes vCenter Server Hole
Monday, September 21, 2015 @ 03:09 PM gHale
VMware released updates that address a Lightweight Directory Access Protocol (LDAP) certificate validation vulnerability in vCenter Server.
Users should replace VMware vCenter Server 6.0 and VMware vCenter Server 5.5 running on any system with version 6.0 update 1 and version 5.5 update 3, respectively, according to an advisory.
Versions 5.1 and 5.0 do not suffer from the issue.
“VMware vCenter Server does not validate the certificate when binding to an LDAP server using TLS,” the advisory said. “Exploitation of this vulnerability may allow an attacker that is able to intercept traffic between vCenter Server and the LDAP server to capture sensitive information.”
Network traffic could end up intercepted by a remote user who successfully executes a man-in-the-middle attack between the LDAP server and the target system.