vCAC Remote Console remote privilege escalation

LINK TO VMware Advisory VMSA-2014-0013

LINK to CVE-2014-8373

If you have a vCAC (or the new name vRealize Automation, vRA) system on an untrusted network you should read up on this. (Or in truth, one could argue if you have it all in a production environment….).

VMware vCloud Automation Center has a remote privilege escalation vulnerability. This issue may allow an authenticated vCAC user to obtain administrative access to vCenter Server.

To be clear, this is not a broad virtual machine remove console (VMRC) issue, but how it is implemented in vCAC/vRA.  vSphere is not affected, vCD is not affected.   vRA 6.2 is not affected as “connect using VMRC” is disabled.  The workaround for the older versions is to disable this method.

Tagged , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *