VMware webAccess Man-in-the-Middle Vulnerability and How to Dodge It

I have written in previous blogs that VMware webAccess suffers from a SSL MiTM [Man in the Middle] vulnerability. Actually more to the point the client side of the webAccess suffers from this and it has nothing really to do with VMware however they could alleviate the issue.

The vulnerability is best known and most obvious when certificates are used over the web.

These certificates are displayed to the user to allow for authentication. Unfortunately, and hopefully you are not one of them, most people will just click the Ignore, OK, or “Hey, I Checked This and it’s Good” buttons. Then the Web application will hum merrily on it way whether it’s safe to do so or not.

The user doesn’t know whether the certificate is incorrect or, worse, a fraud supplied by a malicious party.

So it behooves the user to be savvy about known certificates, or for the software to be smarter about how this is handled. In effect the malicious party can see all the data transferred in clear text. This includes passwords, account numbers and other credentials.

As I said this is not a new vulnerability and protecting from it is very important but at the same time very difficult.

And that’s without virtulization to complicate things. Add in the VMware VI SDK and the proliferation of user-designed and third-party code and you do have a problem. These users depend on the VI SDK to properly handle the connection to the webAccess in order to control various features of the VMware Virtual Infrastructure.

The solution? Use client code that authenticates the server certificate. Don’t leave this up to a user who may not know any better.

The SDKs need to be updated to do this as they do not currently authenticate the server. webAccess should contain some client side code that does this as well.

But for now the best you can do is be vigilant about the certificates you see within the VMware Virtual Infrastructure and pretty much any web application.

Look at them, inspect them, and verify them. Do not just press ignore in the VIC or your web browser and hope for the best. Also limit which machines can access webAccess using standard Linux TCP Wrappers functionality.

Virtualization expert Edward L. Haletky is the author of “VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,” Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.