VmWare fixed 3 critical vulnerabilites in vSphere Data Protection (VDP)

VMWare released three patches for vSphere Data Protection (VDP) that affects to VDP 5.x, 6.0.x and 6.1.x version. An attacker can exploit some of these vSphere Data Protection vulnerabilities to gain unauthorized root access to the affected systems. CVEs of the three critical vulnerabilities are CVE-2017-15548, CVE-2017-15549, and CVE-2017-15550, and users should install patches as soon as possible.

Image: vmware

CVE-2017-15548
VDP contains an authentication bypass vulnerability.

A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.

CVE-2017-15549

VDP contains a file upload vulnerability. A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.

CVE-2017-15550

VDP contains a path traversal vulnerability. A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application.

Download vSphere Data Protection security patch here.

Reference: vmware