Security

VMware warns of critical remote code execution flaw in vSphere HTML5 client

If you don't patch, the hosts driving all your virty servers are at risk. So maybe your to-do list needs a tickle?


VMware has revealed a critical-rated bug in the HTML5 client for its flagship vSphere hybrid cloud suite.

"The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin," says VMware's notification. "A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server."

As vCenter Server is the tool that drives a fleet of virtual servers, this CVSS 9.8-rated bug (CVE-2021-21972) is nasty.

A fix, detailed here, is needed for vSphere versions prior to 7.0 U1c, 6.7 U3l, and 6.5 U3n. As those releases are all at least a few weeks old, users may already have addressed the issue. Users of Cloud Foundation 3.x and 4.x also need to get patching, pronto.

While you're patching that nasty, you may as well also knock off a second HTML client bug (CVE-2021-21973) that VMware says could allow "a malicious actor with network access to port 443" to "exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure."

The same versions of vSphere and Cloud Foundation mentioned above need fixing, with details and downloads to do so here.

Your work's not done once that's sorted because VMware has also fixed up an 8.8-rated flaw (CVE-2021-21974) in its ESXi hypervisor, where "a malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution."

Dying software forces changes to VMware’s vSphere Clients

READ MORE

OpenSLP is an open-source version of the IETF Service Location Protocol. Details of how to fix that little mess can be found here and demand your attention if you run vSphere 6.5 and up, or Cloud Foundation 3 or higher. VMware's recent update to its guidance on vSphere security recommended disabling OpenSLP if it's not in use. But that guidance only emerged two weeks ago.

VMware has tipped its hat to Mikhail Klyuchnikov of Positive Technologies for the vSphere client bugs and Lucas Leong of Trend Micro's Zero Day Initiative for the OpenSLP bug.

VMware's HTML5 client replaced a Flash-based tool because Virtzilla knew that Adobe's buggy mess was on death row. The HTML5 client oozed out over years, only achieving feature parity more than two years after initial release.

Today's bugs won't leave vAdmins pining for the good old days of Flash, but with a new UI for ESXi in the works, they'll need to remain vigilant. ®

Send us news
7 Comments
Get our Security newsletter

Codecov dev tool warns of stolen credentials from compromised script, undiscovered for two months

Environment variables full of secrets uploaded to attacker server

Codecov, makers of a code coverage tool used by over 29,000 customers, has warned that a compromised script may have stolen credentials over a period of two months, before it was discovered a few weeks ago.

Code coverage measures how much of an application’s code is the subject of unit tests, the idea being that the higher the percentage, the more reliable the application is likely to be. It is a useful but imperfect metric, since it does not take into account the quality of the tests.

Codecov is a cloud-based tool which integrates with GitHub, GitLab, Atlassian Bitbucket, or any Git-based repository. Developers run tests using their own CI (Continuous Integration) tool and then upload the results to Codecov using a tool called Bash Uploader. Codecov then generates a report which is accessed on its site. Source code itself is not stored on Codecov’s site, but the tool does require read access to a repository in order to display code alongside reports on demand.

Continue reading

More Linux love for Windows Insiders with a kernel update

Rounded corners are nice, but what you really want is Linux 5.10, right?

Windows Insiders have been given a bit of Linux love with the arrival of a freshly updated kernel and an all-important clock fix.

Having yanked the Windows Subsystem for Linux (WSL) 2 out of the usual Windows servicing cadence, Microsoft's engineers have been able to update WSL 2 without requiring a full-on OS patch.

The original 4.19 branch was updated to 5.4.72 in February. The kernel has now been brought considerably more up to date with the 5.10.16.3 version.

Continue reading

Sysadmin for FIN7 criminal cracking group gets 10 years in US prison for managing card slurping malware scam

Plus Pwn2Own faces fire and update Chrome immediately

In Brief The former systems administrator for the FIN7 card-slurping gang has been sentenced to 10 years in a US prison.

Fedir Hladyr, 35, pled guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking last year, and on Friday was sentenced for his role in the theft and resale of over than 20 million customer card records from over 6,500 point-of-sale terminals across the US using the malware dubbed Carbanak.

Hladyr set up a front company, Combi Security, to cover his actions as he funneled the purloined data around the criminal underworld. He managed the encrypted comms network the gang used, ran the server farms used to spread and exploit malware, and coordinated individual attacks.

Continue reading

Japanese auto chipmaker Renesas expects to resume full production next month following fab blaze

Glimmer of hope on the semiconductor front – for the car industry anyway

Japanese chipmaker Renesas has said it will restore full production capacity at its N3 Naka plant by the middle of next month following a blaze in March that destroyed equipment and contaminated the clean room.

Renesas, which accounts for a third of all automotive semiconductor sales globally, said it expects to be at half-capacity by the end of April. CEO Hidetoshi Shibata confirmed in a press conference the company plans to install new fire suppression equipment to prevent any future fires.

Operations at the Naka N3 clean room resumed on 9 April. According to a notice from Renesas, the company had to rely on over 1,600 workers each day (both internal and from third parties) to rebuild and decontaminate the clean room, illustrating both the scale of destruction and difficulty in restoration.

Continue reading

Huawei could have snooped on the Dutch prime minister's phone calls thanks to KPN network core access

Nobody caught – er, held us responsible, says Chinese firm

Huawei was able to snoop on the Dutch prime minister's phone calls and track down Chinese dissidents because it was included in the core of the Netherlands' mobile networks, an explosive news report has claimed.

Dutch national daily Volkskrant (behind a pay wall) reported over the weekend that mobile operator KPN, which used Huawei-supplied equipment in the core of its network, discovered the full extent of the Chinese company's doings in 2010 after it commissioned Capgemini to write an outsourcing risk analysis report .

Not only could the prime minister be eavesdropped on by Huawei, along with millions of other customers, said KPN as it quoted the report, but it could also identify people being snooped on by the Dutch state as well.

Continue reading

On a dusty red planet almost 290 million km away... NASA's Ingenuity Mars Helicopter flies

NASA’s JPL lab speaks to The Reg

The first human-made helicopter to take flight on another planet, Ingenuity, has hovered in Martian skies after NASA at last launched the device into the air.

Amid cheers, engineers confirmed the diminutive helicopter had spun up its rotors, taken off, landed and spun everything down, leaving the stage set for further tests. An image from the helicopter's onboard navigation camera showing its shadow on the surface of Mars was swiftly followed by another sequence from the Perseverance rover showing the helicopter hovering.

Continue reading

Oracle cuts support for South African energy biz Eskom in long-running licensing dispute

'Eskom should pay the pending dues for the Oracle software that they use'

Oracle has pulled the plug on support for software described as "quite essential" to "crucial operations" at South African energy firm Eskom as part of an ongoing licensing dispute.

Eskom spokesman Sikonathi Mantshantsha said Big Red had withdrawn support for multiple software systems after the electricity provider failed to have the courts compel Oracle to continue while the dispute was settled. Eskom had also offered to pay what it thought it owed upfront until the figure was agreed in court.

Mantshantsha confirmed that Oracle had withdrawn some of its technical support services. "Eskom has contingency plans in place to reduce the risk of disruption resulting from the dispute with Oracle," he said.

Continue reading

Plot twist! South Korean telco uses 5G to fight coronavirus via hospital-patrolling robot

Modified Keemi disinfects, takes temperatures, tells you off for not socially distancing

South Korea Telecom (SKT) has linked up with Yongin Severance Hospital to commercialise and deploy facility-roaming robots that minimise the need for face-to-face contact, thus supporting reduced COVID transmission.

"The plan is to ensure that citizens can safely use the hospital through a 24-hour constant quarantine system, and to further strengthen the infection control system in the hospital so that patients in the Corona 19 environment can receive treatment at the National Safety Hospital without anxiety of infection," said SKT in a canned statement.

The robots take temperatures via facial measurements. Mask checks are done through facial recognition, AI technology, and voice guidance warnings. Social distancing is analysed via AI technology and 3D cameras that can calculate distance. During the day, the robot offers hand-sanitising services. At night, it sterilises the environment via UV rays. Operation and other real-time data is communicated to operators over 5G.

Continue reading

UK Home Office tenders £5m for a supplier to help it greenlight IT projects. Yes, you read that correctly

Procurement raises questions over supplier creating its own sales pipeline within govt

The UK's Home Office is tendering to recruit a supplier to help manage the selection of its IT projects, leading to concerns over conflict of interest.

The notice published in the public sector Digital Marketplace is seeking a company to help deliver and operate the "discovery-as-a-service" capability for the "Innovation - Law Enforcement" (I-LE) function within the Police and Public Protection Technology Portfolio (PPPT), with a £5m contract on the table.

The snappy moniker – DaaS – alludes to the discovery phase in the UK government's IT project service manual. Discovery, it says, means learning about users and what they're trying to achieve; constraints the project faces in making changes to how the service is run because, for example, of technology or legislation; and the underlying policy intent the project is set to address and so on.

Continue reading

Brit authorities could legally do an FBI and scrub malware from compromised boxen without your knowledge

Would move for The Greater Good™ actually be good, though?

Comment UK authorities could lawfully copy the FBI and forcibly remove web shells from compromised Microsoft Exchange server deployments – but some members of the British infosec industry are remarkably quiet about whether this would be a good thing.

In the middle of last week the American authorities made waves after deleting web shells from Exchange Server deployments compromised in the Hafnium attacks. The agency had gone to the US federal courts for permission, which it received.

The entire infosec world had been bellowing at IT admins to update and mitigate the vulns, which were being exploited by skilled and malicious people who found the remote-code-execution bug. Nonetheless, some laggards still hadn't bothered – and with compromised boxen providing a useful base for criminals to launch further attacks from, evidently the FBI felt the wider risk was too great not to step in.

Continue reading

Truth and consequences for enterprise AI as EU know who goes legal: GDPR of everything from chatbots to machine learning

Regulations On A European Approach For Artificial Intelligence

One of the Brexit bonuses we’ve been enjoying since January 1st is that we have abandoned our influence within the world’s regulatory superpower.

America and China may have industrial and military dominance, but by placing a decent proportion of global economic activity under the world’s strongest regulatory regime, the EU forces the pace for everyone else. GDPR commands respect around the world.

So when the draft "Regulation On A European Approach For Artificial Intelligence" leaked earlier this week, it made quite the splash - and not just because it’s the size of a novella. It goes to town on AI just as fiercely as GDPR did on data, proposing chains of responsibility, defining "high risk AI" that gets the full force of the regs, proposing multi-million euro fines for non-compliance, and defining a whole set of harmful behaviours and limits to what AI can do with individuals and in general.

Continue reading