BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

VMware Multiple Products OpenSSL Heartbleed Information Disclosure

Disclosed April 14, 2014    Zeroday : 193 days

Vulnerability Description:

Various VMware products use OpenSSL, which was recently affected by the "Heartbleed" vulnerability. This vulnerability allows remote attackers to use a flaw in OpenSSL to disclose critical parts of memory, possibly allowing an attacker to recover usernames, passwords, secret keys, and other sensitive information.

Vendors:

VMware

Vulnerable Software/Devices:

ESXi 5.5
NSX-MH 4.x
NSX-V 6.0.x
NVP 3.x
vCenter Server 5.5
vFabric Web Server 5.0.x – 5.3.x
VMware Fusion 6.0.x
VMware Horizon Mirage Edge Gateway 4.4.x
VMware Horizon View 5.3 Feature Pack 1
VMware Horizon View Client for Android 2.1.x, 2.2.x, 2.3.x
VMware Horizon View Client for iOS 2.1.x, 2.2.x, 2.3.x
VMware Horizon View Client for Windows 2.3.x
VMware Horizon Workspace 1.0
VMware Horizon Workspace 1.5
VMware Horizon Workspace 1.8
VMware Horizon Workspace Client for Macintosh 1.5.1
VMware Horizon Workspace Client for Macintosh 1.5.2
VMware Horizon Workspace Client for Windows 1.5.1
VMware Horizon Workspace Client for Windows 1.5.2
VMware Horizon Workspace for Macintosh 1.8
VMware Horizon Workspace for Windows 1.8
VMware OVF Tool 3.5.0
VMware vCloud Automation Center
VMware vCloud Networking and Security

Vulnerability Severity:

High

Exploit Availability:

Publicly Available

Exploit Impact:

Information Disclosure
By sending one or more maliciously crafted packets to a vulnerable OpenSSL installation, an attacker may be able to leak memory from the target machine. This may allow a remote attacker to be able to recover sensitive information, such as usernames and passwords. An attacker may send multiple crafted packets in order to leak more memory, thereby increasing the amount of information that may be recovered.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 33689 - VMware ESXi 5.5 OpenSSL Heartbleed Information Disclosure (Zero-Day)
  • 33690 - VMware VCenter Server 5.5 OpenSSL Heartbleed Information Disclosure (Zero-Day)
  • 33691 - VMware vFabric Web Server OpenSSL Heartbleed Information Disclosure (Zero-Day)
  • 33692 - VMware Fusion OpenSSL Heartbleed Information Disclosure (Zero-Day)
  • 33694 - VMware OVF Tool OpenSSL Heartbleed Information Disclosure (Zero-Day) - Windows
  • 33696 - VMware OVF Tool OpenSSL Heartbleed Information Disclosure (Zero-Day) - Linux

Mitigation:

No mitigations are currently available at this time. OpenSSL 1.0.1g contains a fix, however, it is up to software vendors to apply the updated version to their proprietary software.

Links:

CVE(s):