VMware announces, patches critical flaw in its VDP backup product

Cloud computing technology provider VMware issued a security advisory Tuesday outlining three critical vulnerabilities in its vSphere Data Protection (VDP) backup and recovery product.

“A remote attacker could exploit these vulnerabilities to take control of an affected system,” wrote the U.S. Computer Emergency Readiness Team in a warning sent out Tuesday afternoon by the National Cyber Awareness System. It advised all VMware customers to download and install the patches, which the company has publicly pushed.

VMware, part of the Dell Technologies family of companies did not say how many of their 500,000-plus customers use the affected VDP product.

The advisory doesn’t list when and how the vulnerabilities were discovered.

A spokesman for the company told CyberScoop by email they had no further details to offer.

VDP saves images of virtual machines that have spun up in an enterprise cloud environment so they can be easily restored in the event of a system crash or other service interruption. It also creates back-ups of application-specific data for apps including Microsoft Exchange, Microsoft SharePoint and Microsoft SQL Server. To do so, VDP is integrated with other VMware products and with the applications it services.

The three vulnerabilities are:

• An authentication bypass vulnerability, designated CVE-2017-15548. A completely unauthenticated malicious user can remotely bypass application authentication and gain unauthorized root access — the most privileged level of access there is — to the affected systems.

• An arbitrary file upload vulnerability, designated CVE-2017-15549. A remote authenticated malicious user with low privileges could upload arbitrary maliciously crafted files into any location on the server file system.

• A path traversal vulnerability, designated CVE-2017-15550. A remote authenticated malicious user with low privileges could access arbitrary files on the server file system running the vulnerable application.

There are no mitigations or workarounds, the advisory states.

Last April, the company announced it was phasing out VDP. “We have received feedback that customers are looking to consolidate their backup and recovery solutions,” the company said in a statement at the time. “As a result, we are focusing our investments on vSphere Storage APIs.” Application Programming Interfaces are a way that different vendors’ products can be integrated with each other. The statement said this move would “strengthen the vSphere backup partner ecosystem that provides you with a choice of solution providers.”

VMware promised to support existing VDP customers for the time being — through 2020 for the owners of the most up to date products — including by patching and security upgrades.