VMware vCenter Server Appliance – Backup and Restore Vulnerability-VMSA-curity advisory2019-0018

VMware has released a new security advisory VMSA-2019-0018 (VMware vCenter Server Appliance updates address sensitive information disclosure vulnerability in backup and restore functions).

Advisory ID	VMSA-2019-0018
Advisory Severity	Moderate
CVSSv3 Range	6.8
Synopsis	VMware vCenter Server Appliance updates address sensitive information disclosure vulnerability in backup and restore functions (CVE-2019-5537, CVE-2019-5538)
Issue Date	2019-10-24
Updated On	2019-10-24 (Initial Advisory)
CVE(s)	CVE-2019-5537, CVE-2019-5538

This advisory documents the remediation of one issue, rated with the severity of moderate. Sensitive information disclosure vulnerabilities resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance may allow a malicious actor to intercept sensitive data in transit over FTPS, HTTPS, or SCP.

A man-in-the-middle positioned between vCenter Server Appliance and a backup target may be able to intercept data in transit during File-Based Backup and Restore operations.

The identifiers CVE-2019-5537 (data interception over FTPS and HTTPS) and CVE-2019-5538 (data interception over SCP) were assigned to this vulnerability.

Affected products and resolutions:

• vCenter Server Appliance 6.7 – update to 6.7 Update 3a
• vCenter Server Appliance 6.5 – update to 6.5 Update 3d

Remediation of CVE-2019-5537 and CVE-2019-5538 is not enabled by default. After upgrading the vCenter Server Appliance, follow the steps in KB75156 (Enabling secure backup and restore in the vCenter Server Appliance) to enforce strict certificate validation.

References

Fixed Version(s) and Release Notes:

VMware vCenter Server Appliance 6.7u3a 

VMware vCenter Server Appliance 6.5u3d

Additional Documentation:

https://kb.vmware.com/s/article/75156