VMware Fixes vCenter Server Hole

Monday, September 21, 2015 @ 03:09 PM gHale

VMware released updates that address a Lightweight Directory Access Protocol (LDAP) certificate validation vulnerability in vCenter Server.

Users should replace VMware vCenter Server 6.0 and VMware vCenter Server 5.5 running on any system with version 6.0 update 1 and version 5.5 update 3, respectively, according to an advisory.

VMware Privilege Escalation Issue
Cisco Working on Security Appliances Holes
Malware Strikes iOS Devices
SaaS Provider Fixes Vulnerability

Versions 5.1 and 5.0 do not suffer from the issue.

“VMware vCenter Server does not validate the certificate when binding to an LDAP server using TLS,” the advisory said. “Exploitation of this vulnerability may allow an attacker that is able to intercept traffic between vCenter Server and the LDAP server to capture sensitive information.”

Network traffic could end up intercepted by a remote user who successfully executes a man-in-the-middle attack between the LDAP server and the target system.