VMware vSphere Data Protection 5.5.x / 5.8.x / 6.0.x < 6.0.5 / 6.1.x < 6.1.4 Multiple Vulnerabilities (VMSA-2017-0010

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A virtualization appliance installed on the remote host is affected by
multiple vulnerabilities.

Description :

The version of VMware vSphere Data Protection installed on the remote
host is 5.5.x, 5.8.x, or 6.0.x prior to 6.0.5, or it is 6.1.x prior to
6.1.14. It is, therefore, affected by multiple vulnerabilities :

- An unspecified flaw exists when handling Java
deserialization that allows an unauthenticated, remote
attacker to execute arbitrary commands on the appliance.
(CVE-2017-4914)

- An information disclosure vulnerability exists due to
using a weak encryption algorithm that allows a local
attacker to disclose credentials. (CVE-2017-4917)

See also :

http://www.vmware.com/security/advisories/VMSA-2017-0010.html

Solution :

Upgrade to VMware vSphere Data Protection version 6.0.5 / 6.1.14 or
later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 100717 ()

Bugtraq ID: 98936
98939

CVE ID: CVE-2017-4914
CVE-2017-4917

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now