Vigil@nce - VMware vCenter Server: Man-in-the-Middle of LDAP
November 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can act as a Man-in-the-Middle between the LDAP server
and VMware vCenter Server, in order to read or write data in the
session.
– Impacted products: vCenter, VMware vSphere.
– Severity: 2/4.
– Creation date: 17/09/2015.
DESCRIPTION OF THE VULNERABILITY
The VMware vCenter Server product uses the TLS protocol, in order
to create secure sessions to a LDAP server.
However, the X.509 certificate and the service identity are not
correctly checked.
An attacker can therefore act as a Man-in-the-Middle between the
LDAP server and VMware vCenter Server, in order to read or write
data in the session.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/VMware-vCenter-Server-Man-in-the-Middle-of-LDAP-17914