News from VMware vSphere Data Protection
VMware has released a hotfix for vSphere Data Protection (VDP) to change a hard-coded SSH key that could allow remote attackers to gain root access to the virtual appliance. VDP is a disk-based backup and recovery product that runs as an open virtual appliance (OVA). It integrates with the VMware vCenter Server and provides centralized management of backup jobs for up to 100 virtual machines.
Lucian Constantin published an article regarding VMware vSphere data protection the last days. He also explained that the company fixed a stored cross-site scripting flaw in ESXi.
Read his complete article here.
According to a VMware support article, the vSphere Data Protection (VDP) appliance contains a static SSH private key with a known password. This key allows interoperability with EMC Avamar, a deduplication backup and recovery software solution, and is pre-configured on the VDP as an AuthorizedKey.
Here is the resolution recommended by VMware:
To change the default SSH keys:
- Download the 2147069_vdp-hotfix.zip file attached to this Knowledge Base article.
- Extract the 2147069_vdp-hotfix.zip file.
- Copy the vdphotfix.sh script file to the vSphere Data Protection appliance and place it in any directory.For Example: /root.
- Add execute permission to the vdphotfix.sh script file by running this command:chmod a+x vdphotfix.sh
- Run the vdphotfix.sh script by running this command:./vdphotfix.shNote: This script will ask to enter a passphrase. Provide any random suitable 6-9 letter alphanumeric key.
“An attacker with access to the internal network, may abuse this to access the appliance with root privileges and further to perform a complete compromise,” VMware said.
The company rates this vulnerability as critical and developed a hotfix that can be copied and executed on the appliance to change the default SSH keys and set a new password.
How To Set Up and Configure vSphere Data Protection 6.1
There are a few things that need to be in order prior to beginning:
- Have an IP address handy to use when prompted by the wizard.
- Create a DNS entry ahead of time, and use nslookup to be sure that forward and reverse lookup are functioning correctly.
- Ensure enough capacity is available on the datastore where backups will reside.
- Determine how many appliances will be needed. A single VDP appliance can support to up 400 VMs, and up to 20 VDP appliances can be deployed in a single vCenter. Also consider the backup window; a single VDP appliance can back up eight virtual machines (VMs) simultaneously, and by using a few external proxies, up to 24 VMs can be backed up simultaneously.
Walk through the configuration wizard, selecting the following options:
- Job Type: Guest Images
- Data Type: Full Image
- Backup Sources: Select clusters, resources pools, or VMs
- Schedule: Create a schedule (for my example, I used Daily at 21:00)
- Retention Policy: Choose retention settings ( 7 dailys, 4 weeklys, 12 monthlys, and 1 yearly)
- Job Name: Name the job
- Ready to Complete: Review and hit Finish
Developing devices with hard-coded access credentials that users can’t change is a serious security weakness. Unfortunately, this was common practice in the past and vendors have been trying to clean up such mistakes from their devices for the past few years.
These days VMware also fixed a stored cross-site scripting vulnerability in its vSphere Hypervisor (ESXi) product. The flaw is rated as important.
“The issue can be introduced by an attacker that has permission to manage virtual machines through ESXi Host Client or by tricking the vSphere administrator to import a specially crafted VM,” the company said in an advisory. “The issue may be triggered on the system from where ESXi Host Client is used to manage the specially crafted VM.”
Some more information about VMware Data Protection:
Dunkan Epping‘s website is always worth a visit:
“vSphere Data Protection (VDP) – install, configure, manage” from Vladan Seget
VMware vSphere Data Protection Documentation
Follow the link to VMware vSphere Data Protection Documentation:
“VMware vSphere Data Protection (VDP) Review” from Storage Review