====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN336

_____________________________________________________________________

DATE                : 25/10/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):Systems running vCenter Server Appliance versions 6.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2019-0018.html
_____________________________________________________________________

VMware Security Advisories

+---------+-------------------------------------------------------------------+
|Advisory |VMSA-2019-0018
      |
|ID       |
      |
+---------+-------------------------------------------------------------------+
|Advisory |Moderate
      |
|Severity |
      |
+---------+-------------------------------------------------------------------+
|CVSSv3   |6.8
      |
|Range    |
      |
+---------+-------------------------------------------------------------------+
|         |VMware vCenter Server Appliance updates address sensitive
      |
|Synopsis |information disclosure vulnerability in backup and restore
      |
|         |functions (CVE-2019-5537, CVE-2019-5538)
      |
+---------+-------------------------------------------------------------------+
|Issue    |2019-10-24
      |
|Date     |
      |
+---------+-------------------------------------------------------------------+
|Updated  |2019-10-24 (Initial Advisory)
      |
|On       |
      |
+---------+-------------------------------------------------------------------+
|CVE(s)   |CVE-2019-5537, CVE-2019-5538
      |
+---------+-------------------------------------------------------------------+


1. Impacted Products

VMware vCenter Server Appliance


2. Introduction

Vulnerabilities in the File-Based Backup and Restore functions of
vCenter Server Appliance were privately reported to the VMware
Security Response Center. Updates are available which allow
enablement of strict certificate validation to remediate these
vulnerabilities.


3. VMware vCenter Server Appliance sensitive information disclosure
vulnerabilities in File-Based Backup and Restore functions
(CVE-2019-5537 and CVE-2019-5538)

Description:
Sensitive information disclosure vulnerabilities resulting from a
lack of certificate validation during the File-Based Backup and
Restore operations of VMware vCenter Server Appliance may allow a
malicious actor to intercept sensitive data in transit over FTPS and
HTTPS (CVE-2019-5537) as well as SCP (CVE-2019-5538). VMware has
evaluated the severity of these issues to be in the
Moderate severity range with a maximum CVSSv3 base score of 6.8.


Known Attack Vectors:
A malicious actor with man-in-the-middle positioning between vCenter
Server Appliance and a backup target may be able to intercept
sensitive data in transit during File-Based Backup and Restore
operations.


Resolution:
To remediate CVE-2019-5537 and CVE-2019-5538 first apply the patches
listed in the 'Fixed Version' column and then follow the instructions
documented in KB75156 listed in the 'Additional Documentation' column
found in the 'Resolution Matrix' below to enforce strict certificate
validation.


Workarounds:
None.


Additional Documentation:
To avoid breaking currently configured File-Based Backup and
Restore workflows, remediation of CVE-2019-5537 and CVE-2019-5538
is not enabled by default. After upgrading vCenter Server Appliance,
follow the steps in KB75156 to enforce strict certificate validation.


Notes:
None.


Acknowledgements:

VMware would like to thank Thorsten Tullmann, Karlsruhe Institute
of Technology and James Renken for independently reporting these
issues to us.


Response Matrix:

+---------+-------+---------+--------------+------+--------+----------+-----------+----------+
|Product  |Version|Running  |CVE Identifier|CVSSV3|Severity|Fixed
|Workarounds|Additional|
|         |       |On       |              |      |        |Version   |
          |Documents |
+---------+-------+---------+--------------+------+--------+----------+-----------+----------+
|vCenter  |       |Virtual  |CVE-2019-5537,|      |        |          |
          |          |
|Server   |6.7    |Appliance|CVE-2019-5538 |6.8   |Moderate|6.7u3a
|None       |KB75156   |
|Appliance|       |         |              |      |        |          |
          |          |
+---------+-------+---------+--------------+------+--------+----------+-----------+----------+
|vCenter  |       |Virtual  |CVE-2019-5537,|      |        |          |
          |          |
|Server   |6.5    |Appliance|CVE-2019-5538 |6.8   |Moderate|6.5u3d
|None       |KB75156   |
|Appliance|       |         |              |      |        |          |
          |          |
+---------+-------+---------+--------------+------+--------+----------+-----------+----------+
|vCenter  |       |Virtual  |CVE-2019-5537,|      |        |          |
          |          |
|Server   |6.0    |Appliance|CVE-2019-5538 |N/A   |N/A
|Unaffected|None       |None      |
|Appliance|       |         |              |      |        |          |
          |          |
+---------+-------+---------+--------------+------+--------+----------+-----------+----------+


4. References

FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/
I:N/A:N


Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5537
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5538


Fixed Version(s) and Release Notes:

VMware vCenter Server Appliance 6.7u3a
https://my.vmware.com/web/vmware/details?productId=742&rPId=38207&downloadGroup
=VC67U3a

VMware vCenter Server Appliance 6.5u3d
https://my.vmware.com/web/vmware/details?productId=614&rPId=38398&downloadGroup
=ESXI65U3D


Additional Documentation:
https://kb.vmware.com/s/article/75156



5. Change log

2019-10-24: VMSA-2019-0018

Initial security advisory detailing remediations for CVE-2019-5537
and CVE-2019-5538 in VMware vCenter Server Appliance 6.7u3a and
6.5u3d.



6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:
  security-announce@lists.vmware.com
  bugtraq@securityfocus.com
  fulldisclosure@seclists.org


E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC


Copyright 2019 VMware Inc. All rights reserved.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================