Vulnerable Systems:
* VMWare Virtual Center 2.5 with WebAccess
* VMWare Virtual Center 2.0.2 with WebAccess
* VMware Server 2.0.2 with WebAccess
* VMware Server 1.0.10
* VMWare ESX 3.5 with WebAccess
* VMWare ESX 3.0.3 with WebAccess
This vulnerability can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that the Service Console be isolated from the VM network.
WebAccess Context Data Cross-site Scripting Vulnerability
---------------------------------------------------------
A cross-site scripting vulnerability in WebAccess allows for disclosure of sensitive information. The flaw is due to insufficient verification of certain parameters which may lead to redirection of a user's requests.
This vulnerability can only be exploited if the attacker tricks the WebAccess user into clicking a malicious link and the attacker has control of a server on the same network as the system where WebAccess is being used.
WebAccess Virtual Machine Name Cross-site Scripting Vulnerability
-----------------------------------------------------------------
A cross-site scripting vulnerability allows for execution of JavaScript in the Web browser's security context for WebAccess. The flaw is due to insufficient checking on the names of virtual machines.
In order to exploit the issue, the attacker must have control over the naming of a virtual machine and must have the user list this Virtual Machine in WebAccess.
WebAccess URL Forwarding Vulnerability
--------------------------------------
The WebAccess component doesn't sufficiently validate user supplied input and allows for forwarding of an incoming request to another destination. The destination will not be able to see the true origin of the request URL but instead will see the address of the machine that runs WebAccess. An attacker could use the forwarding vulnerability to direct traffic at servers while disguising the source location.
The security issue is limited to URL forwarding. This vulnerability doesn't allow for a so-called cross-site scripting attack and doesn't allow for stealing of the user cookies.
WebAccess JSON Cross-site Scripting Vulnerability
-------------------------------------------------
A cross-site scripting vulnerability allows for execution of JavaScript in the Web browser's security context for WebAccess. The flaw is due to incorrect parsing of JSON error messages. This vulnerability can only be exploited if the attacker tricks the WebAccess user into clicking a malicious link.
Patch Availability:
VMWare has made the following patches available:
VMWare Virtual Center 2.5 Update 4
VMWare Virtual Center 2.5 Update 6
VMWare ESX350-201003403-SG
VMWare ESX350-200903223-UG
Workaround:
By switching off WebAccess the issues can no longer be exploited.
This can be accomplished on affected versions of Virtual Center and ESX as follows:
Virtual Center 2.0.2 and Virtual Center 2.5:
Go to the Windows Services overview on the system that runs Virtual Center.
To stop WebAccess without a reboot:
Change the status of the VMware Infrastructure Web Access service to stop
To prevent WebAccess from starting after the next reboot:
Change the startup type of the VMware Infrastructure Web Access service to disabled
ESX 3.0.3 and ESX 3.5:
Open a root shell on ESX.
To stop WebAccess without a reboot: service vmware-webAccess stop
To prevent WebAccess from starting after the next reboot: chkconfig vmware-webAccess off
