VMware addresses vulnerability in vCenter Server
VMware vCenter Server 6.0 and VMware vCenter Server 5.5 running on any system are affected.
VMware has released updates that address a LDAP certificate validation vulnerability (CVE-2015-6932) in vCenter Server.
According to a Wednesday advisory, VMware vCenter Server 6.0 and VMware vCenter Server 5.5 running on any system should be replaced with version 6.0 update 1 and version 5.5 update 3, respectively. Versions 5.1 and 5.0 are not affected.
“VMware vCenter Server does not validate the certificate when binding to an LDAP server using TLS,” the advisory said. “Exploitation of this vulnerability may allow an attacker that is able to intercept traffic between vCenter Server and the LDAP server to capture sensitive information.”
A Wednesday SecurityTracker post explained that network traffic can be intercepted by a remote user who successfully executes a man-in-the-middle attack between the LDAP server and the target system.