Vulnerabilities > CVE-2016-7456 - Credentials Management vulnerability in VMWare Vsphere Data Protection

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

vmware

CWE-255

critical

nessus

metasploit

NVD

Published: 2016-12-29

Updated: 2017-01-03

Summary

VMware vSphere Data Protection (VDP) 5.5.x though 6.1.x has an SSH private key with a publicly known password, which makes it easier for remote attackers to obtain login access via an SSH session.

Vulnerable Configurations

Part	Description	Count
Application	Vmware Vmware Vsphere Data Protection 5.8.2 Vmware Vsphere Data Protection 5.5.10 Vmware Vsphere Data Protection 6.1.0 Vmware Vsphere Data Protection 6.0.3 Vmware Vsphere Data Protection 6.0.1 Vmware Vsphere Data Protection 6.1.3 Vmware Vsphere Data Protection 5.5.7 Vmware Vsphere Data Protection 5.8.4 Vmware Vsphere Data Protection 5.5.11 Vmware Vsphere Data Protection 5.8.1 Vmware Vsphere Data Protection 6.1.1 Vmware Vsphere Data Protection 5.8.3 Vmware Vsphere Data Protection 5.5.6 Vmware Vsphere Data Protection 5.5.9 Vmware Vsphere Data Protection 6.0.0 Vmware Vsphere Data Protection 6.0.4 Vmware Vsphere Data Protection 6.1.2 Vmware Vsphere Data Protection 5.5.5 Vmware Vsphere Data Protection 5.5.1 Vmware Vsphere Data Protection 5.5.8 Vmware Vsphere Data Protection 6.0.2 Vmware Vsphere Data Protection 5.8.0	22

Common Weakness Enumeration (CWE)

CWE-255 - Credentials Management

Metasploit

description	VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password.
id	MSF:EXPLOIT/LINUX/SSH/VMWARE_VDP_KNOWN_PRIVKEY
last seen	2020-06-10
modified	2019-08-15
published	2017-01-03
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7456 https://www.vmware.com/security/advisories/VMSA-2016-0024.html
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb
title	VMware VDP Known SSH Key

Nessus

NASL family	Misc.
NASL id	VMWARE_VMSA-2016-0024.NASL
description	The version of VMware vSphere Data Protection installed on the remote host is 5.5.x / 5.8.x / 6.0.x / 6.1.x. It is, therefore, affected by an authentication bypass vulnerability due to the use of an SSH private key that has a known password and which is configured to allow key-based authentication. A remote attacker can exploit this to gain root login access via an SSH session.
last seen	2020-06-01
modified	2020-06-02
plugin id	96338
published	2017-01-09
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/96338
title	VMware vSphere Data Protection Private SSH Key Authentication Bypass (VMSA-2016-0024)
code	#TRUSTED 48bbcb2daaaee15ce8dab0218a1e4903137c85c1e69e3604d1fefb4af34c029397c52581867dd448454a375b433f0f86d5f57523bb7c6a8527c7d5bad1da25c26365a5452fbc73bbc22f835a0c51b56892e48212b080367fb21942a9f83532cb9d004bac72165ff7d98ad890f37e187bc898d61cc38ecf84c5f91eb257c0db1420db9356149165dc138ac8177fc3c793283090adcddcd8d84d8a0ebf489576dcbf5cc600ad750246001721883ddedab1009a8e01f9573f21169af5618699ecf5a83392aa3680964790e8b46aa85eae5a976469c9ea57c1fe1b48a10ccfaee1e039ee83ccf04725e6aa9fcd81e124ddbcff612c75e40d6a41b11183677820ec4972f3da29a14e8f2f9a4eec62992b14dd217b5ab60a1b40aa5729e8d6e098b30772130ea7624f134c69e6ed999790f06bcf9ed693bd517c8b7a7cfd331433c237ed6b3c26085c19f1836e004073563f9ecbff1bcb47c58c5d8c977cf46aa0895f6cd99006463ae90e5febfff10f7f6ed991716c6f231bae33e6bf8b520686519c32851c5a33521f21b203719f8381065223bacabf98bb3e3539a43c821f1a527748beba20190f0f8b60c9e910c10e9a3cc21cd1333a969ee72187501a810b09dc0275290fa44c1ef0f7838df3579eccf429236d24a218d01ed332934da48a50f7dc2651adbfffc09d1de716d41e7f8a2f9e5169ba189b3ca75b8b75633e2f6324 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96338); script_version("1.12"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2016-7456"); script_bugtraq_id(94990); script_xref(name:"VMSA", value:"2015-0024"); script_name(english:"VMware vSphere Data Protection Private SSH Key Authentication Bypass (VMSA-2016-0024)"); script_summary(english:"Checks the version of VMware vSphere Data Protection."); script_set_attribute(attribute:"synopsis", value: "A virtualization appliance installed on the remote host is affected by an authentication bypass vulnerability."); script_set_attribute(attribute:"description", value: "The version of VMware vSphere Data Protection installed on the remote host is 5.5.x / 5.8.x / 6.0.x / 6.1.x. It is, therefore, affected by an authentication bypass vulnerability due to the use of an SSH private key that has a known password and which is configured to allow key-based authentication. A remote attacker can exploit this to gain root login access via an SSH session."); script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2016-0024.html"); # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2147069 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e458ec43"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'VMware VDP Known SSH Key'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:vsphere_data_protection"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/vSphere Data Protection/Version"); script_require_ports("Services/ssh", 22); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("ssh_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); app_name = "vSphere Data Protection"; version = get_kb_item_or_exit("Host/vSphere Data Protection/Version"); port = get_service(svc:'ssh', default:22, exit_on_fail:TRUE); vuln = FALSE; admin = FALSE; root = FALSE; dpnid = "-----BEGIN DSA PRIVATE KEY----- MIIBuwIBAAKBgQCWUMSv1kpW6ekyej2CaRNn4uX0YJ1xbzp7s0xXgevU+x5GueQS mS+Y+DCvN7ea2MOupF9n77I2qVaLuCTZo1bUDWgHFAzc8BIRuxSa0/U9cVUxGA+u +BkpuepaWGW4Vz5eHIbtCuffZXlRNcTDNrqDrJfKSgZW2EjBNB7vCgb1UwIVANlk FYwGnfrXgyXiehj0V8p9Mut3AoGANktxdMoUnER7lVH1heIMq6lACWOfdbltEdwa /Q7OeuZEY434C00AUsP2q6f9bYRCdOQUeSC5hEeqb7vgOe/3HN02GRH7sPZjfWHR /snADZsWvz0TZQuybs8dEdGh/ezGhiItCINFkVg7NvSXx85dMVsB5N9Ju0gDsZxW /d41VXYCgYBH0zIlb3lvioedyZj2mKF6fycnCZIeeDnL8wZtZPStRht6i4PFTCX1 Y/Ogw0L0bhuthOx+VTgICB87r0TmXElNUDLSncsxuw7pmHa669idUkv43CjeDkH0 kGFEHt4QA6/xw1Xq9oNpRJTo62ZsFmv0Pwp3uE7up8s0LW1O6fr+OwIVAKCJZ8nm UwIdhEc9aU7sBDTFijP+ -----END DSA PRIVATE KEY-----"; dpn_pub = "ssh-dss AAAAB3NzaC1kc3MAAACBAJZQxK/WSlbp6TJ6PYJpE2fi5fRgnXFvOnuzTFeB69T7Hka55BKZL5j4MK83t5rYw66kX2fvsjapVou4JNmjVtQNaAcUDNzwEhG7FJrT9T1xVTEYD674GSm56lpYZbhXPl4chu0K599leVE1xMM2uoOsl8pKBlbYSME0Hu8KBvVTAAAAFQDZZBWMBp3614Ml4noY9FfKfTLrdwAAAIA2S3F0yhScRHuVUfWF4gyrqUAJY591uW0R3Br9Ds565kRjjfgLTQBSw/arp/1thEJ05BR5ILmER6pvu+A57/cc3TYZEfuw9mN9YdH+ycANmxa/PRNlC7Juzx0R0aH97MaGIi0Ig0WRWDs29JfHzl0xWwHk30m7SAOxnFb93jVVdgAAAIBH0zIlb3lvioedyZj2mKF6fycnCZIeeDnL8wZtZPStRht6i4PFTCX1Y/Ogw0L0bhuthOx+VTgICB87r0TmXElNUDLSncsxuw7pmHa669idUkv43CjeDkH0kGFEHt4QA6/xw1Xq9oNpRJTo62ZsFmv0Pwp3uE7up8s0LW1O6fr+Ow== dpn@dpn41s"; if ( version =~ "^(5\.[58]\|6\.[01])([^0-9]\|$)" ) { sock_g = ssh_open_connection(); if (! sock_g) audit(AUDIT_SOCK_FAIL, port); admin_authkeys = ssh_cmd(cmd:"cat /home/admin/.ssh/authorized_keys"); root_authkeys = ssh_cmd(cmd:"cat /root/.ssh/authorized_keys"); if(dpn_pub >< admin_authkeys) admin = TRUE; if(dpn_pub >< root_authkeys) root = TRUE; ssh_close_connection(); } else audit(AUDIT_NOT_INST, app_name +" 5.5.x / 5.8.x / 6.0.x / 6.1.x "); if (admin \|\| root) { report = '\nThe following users have a compromised ssh key in their authorized_keys file : \n\n'; report += 'Users : '; if(admin) report += '\n - admin'; if(root) report += '\n - root'; report += '\n\nPrivate Key : \n\n' + dpnid + '\n\nPublic Key : \n' + dpn_pub + '\n'; security_report_v4(severity:SECURITY_HOLE, port:0, extra:report); } else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

Packetstorm

data source	https://packetstormsecurity.com/files/download/143883/vmware_vdp_known_privkey.rb.txt
id	PACKETSTORM:143883
last seen	2017-08-22
published	2017-08-22
reporter	phroxvs
source	https://packetstormsecurity.com/files/143883/VMware-VDP-Known-SSH-Key.html
title	VMware VDP Known SSH Key

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Metasploit

Nessus

Packetstorm

References