Vigil@nce - VMware vSphere Data Protection: Man-in-the-Middle
February 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can act as a Man-in-the-Middle of VMware vSphere Data
Protection, in order to obtain or manipulate sensitive data.
Impacted products: Avamar, VMware vSphere
Severity: 2/4
Creation date: 30/01/2015
DESCRIPTION OF THE VULNERABILITY
The VMware vSphere Data Protection product exchanges data with
vCenter Server, using a TLS session.
However, VDP does not correctly check the X.509 certificate
offered by vCenter Server.
An attacker can therefore act as a Man-in-the-Middle of VMware
vSphere Data Protection, in order to obtain or manipulate
sensitive data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/VMware-vSphere-Data-Protection-Man-in-the-Middle-16088