VMware VirtualCenter User Account Information Disclosure Vulnerability

Bugtraq ID:	30664
Class:	Design Error
CVE:	CVE-2008-3514
Remote:	Yes
Local:	No
Published:	Aug 12 2008 12:00AM
Updated:	Aug 25 2008 10:15PM
Credit:	Brett Moore of Insomnia Security
Vulnerable:	VMWare VirtualCenter 2.0.2 VMWare VirtualCenter 2.5 Update 1 VMWare VirtualCenter 2.5 VMWare VirtualCenter 2.0.2 Update 4 VMWare VirtualCenter 2.0.2 Update 3 VMWare VirtualCenter 2.0.2 Update 2 VMWare VirtualCenter 2.0.2 Update 1
Not Vulnerable:	VMWare VirtualCenter 2.5 Update 2 VMWare VirtualCenter 2.0.2 Update 5

VMware VirtualCenter User Account Information Disclosure Vulnerability

VMware VirtualCenter is prone to an information-disclosure vulnerability.

Successfully exploiting this issue may allow attackers to gain access to the user names of system accounts. Information obtained may aid in further attacks.

The following versions are affected:

- versions prior to VMware 2.5 Update 2
- versions prior to VMware 2.0.2 Update 5

VMware VirtualCenter User Account Information Disclosure Vulnerability

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

VMware VirtualCenter User Account Information Disclosure Vulnerability

Solution:
The vendor released updates and an advisory. Please see the references for more information.

VMware VirtualCenter User Account Information Disclosure Vulnerability

References:

• VirtualCenter 2.0.2 Update 5 Release Notes (VMWare)
  
• VirtualCenter 2.5 Update 2 Release Notes (VMware)
  
• VMware Homepage (VMware)
  
• VMSA-2008-0012 Updated VirtualCenter addresses User Account Disclosure Vulnerabi (VMware Security Team )