Menu
VMware removes hard-coded root access key from vSphere Data Protection

VMware removes hard-coded root access key from vSphere Data Protection

The company also fixed a stored cross-site scripting flaw in ESXi

Credit: VMware

VMware has released a hotfix for vSphere Data Protection (VDP) to change a hard-coded SSH key that could allow remote attackers to gain root access to the virtual appliance.

VDP is a disk-based backup and recovery product that runs as an open virtual appliance (OVA). It integrates with the VMware vCenter Server and provides centralized management of backup jobs for up to 100 virtual machines.

According to a VMware support article, the vSphere Data Protection (VDP) appliance contains a static SSH private key with a known password. This key allows interoperability with EMC Avamar, a deduplication backup and recovery software solution, and is pre-configured on the VDP as an AuthorizedKey.

"An attacker with access to the internal network, may abuse this to access the appliance with root privileges and further to perform a complete compromise," VMware said.

The company rates this vulnerability as critical and developed a hotfix that can be copied and executed on the appliance to change the default SSH keys and set a new password.

Developing devices with hard-coded access credentials that users can't change is a serious security weakness. Unfortunately, this was common practice in the past and vendors have been trying to clean up such mistakes from their devices for the past few years.

On Tuesday, VMware also fixed a stored cross-site scripting vulnerability in its vSphere Hypervisor (ESXi) product. The flaw is rated as important.

"The issue can be introduced by an attacker that has permission to manage virtual machines through ESXi Host Client or by tricking the vSphere administrator to import a specially crafted VM," the company said in an advisory. "The issue may be triggered on the system from where ESXi Host Client is used to manage the specially crafted VM."

VMware released security fixes for ESXi 5.5 and 6.0 to fix this flaw and advises users not to import VMs from untrusted sources.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.‚Äč

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments