Vigil@nce - VMware vCenter Server: Man-in-the-Middle of Client Integration Plugin
June 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can act as a Man-in-the-Middle of Client Integration
Plugin on VMware vCenter Server, in order to read or write data in
the session.
Impacted products: vCenter, VMware vSphere, VMware vSphere
Hypervisor.
Severity: 2/4.
Creation date: 15/04/2016.
DESCRIPTION OF THE VULNERABILITY
The VMware vCenter Server product uses the TLS protocol, in order
to create secure sessions with the Client Integration Plugin.
However, the X.509 certificate and the service identity are not
correctly checked.
An attacker can therefore act as a Man-in-the-Middle of Client
Integration Plugin on VMware vCenter Server, in order to read or
write data in the session.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN