VMware vCenter

The VMware vCenter platform increases operational efficiency by optimizing resource provisioning, application installation, and performance optimization.

2024: Vulnerability found in VMware products to seize control of virtual infrastructure

In mid-September, FSTEC sent a warning about the discovery of a critical vulnerability in VMware vCenter Server and in Cloud Foundation BDU:2024-07209^[1]which has a level of 9.8 out of 10 over CVSS. Vulnerable are products up to 7.0 U3s and up to 8.0 U3b, in which the defect has already been fixed. So far, there is no information about the existence of an exploit and exploitation of the vulnerability on "combat" systems.

The vulnerability is related to a buffer overflow in heap memory when processing the DCERPC protocol. That is, outsiders using a specially crafted packet of this protocol can intervene in the memory management system and cause a malfunction of the operating system with the execution of foreign code. Moreover, exploitation of the vulnerability is possible remotely.

Previously, VMware products were quite widespread in Russian companies, and today the situation has hardly changed, "Anton Kvardakov, deputy head of the technical protection department of confidential information at Cloud Networks, explained to TAdviser. - This is due to the fact that replacing infrastructure solutions without stopping business is extremely problematic, and import substitution does not take place promptly in all companies. Threats that allow arbitrary code to be executed are always dangerous and can cause maximum damage to business: it is very difficult to predict exactly how a criminal can use them. Exploitation of such vulnerabilities can lead to a malfunction in workflows - up to a partial or complete shutdown of the business.

Ilnaz Gataullin, technical head of the MTS RED cyber attack monitoring and response center (SOC), also speaks about the gradual import substitution of VMware products.

The BDU:2024-07209 vulnerability has a high level of criticality due to the ability to execute remote code on the vCenter server, "he explained the situation for TAdviser readers. - At the moment, there are no identified facts of exploitation of this vulnerability. However, this can only be a matter of time before enthusiasts develop an exploit (proof of concept - PoC) and place it in the public domain, for example, on GitHub. This can lead to sad consequences, since the compromise of the virtualization system allows you to fully control the virtual infrastructure, which in turn opens up the possibility, including the removal of all virulent machines.

The danger of the discovered vulnerability is also recognized by Vladislav Kormishkin, a threat research analyst: cyber security R-Vision

The vulnerability allows attackers from any remote host that has network access to the vCenter server to overflow the buffer in heap memory. Under certain conditions, this can lead to the execution of remote commands on the server. This vulnerability has a critical level of danger (the base estimate of CVSS 3.0 is 9.8), since an attacker can use it to execute arbitrary commands and, as a result, gain full access to vCenter, as well as to the entire virtual infrastructure of the company.

𝓲

Ideogram

The update is the main method of fixing this vulnerability, but not everyone has the ability to install fixes provided by the developer right away. For such companies, FSTEC recommends the following compensatory measures:

• Use firewalls to restrict remote access
• restrict access to the software from public networks (Internet);
• Reduce connectivity to vCenter by implementing IP whitelisting.

As an additional measure, you can use the so-called virtual patching, when the monitoring system monitors the use of the DCERPC protocol, and if it detects an attempt to exploit a buffer overflow in vCenter by the signature of the vulnerability, it will block the transfer of such a packet.

In addition to installing a patch for vulnerable versions, the main recommendation for protecting virtual environments is to restrict network access to the server from a public network, since you can find servers that are open for external connections, Vladislav Kormishkin recommended to TAdviser readers. - In addition, it is extremely important to ensure the security of the vCenter, you can hide it behind a VPN connection, restrict access from external networks on the firewall, or determine a list of legitimate IP addresses for connecting to the system. The choice of protection method depends on the company's security policy and the company's approach to its layered protection.

2014: vCenter Support Assistant 5.5 plugin.

On January 21, 2014, VMware released vCenter Support Assistant 5.5, a free plugin for VMware vCenter Server.

The purpose of the plugin is to assist in collecting diagnostic data on the VMware vSphere infrastructure and preparing a call to technical support.

Support Assistant via the vSphere Client plugin provides interaction with requests to technical support, regardless of the type of software purchase - by subscription or incident.

vCenter Support Assistant 5.5 has received new functionality related to the automation of the process of collecting and downloading data required by VMware technical support. Information generated by the diagnostic system is transmitted via HTTPS or FTP directly to VMware.

2013: New Component - VMware vCenter LogInsight

VMware vCenter LogInsight is a new event log management product (logs - logs) developed by VMware specifically for cloud technologies, the developer's press service said on June 24, 2013.

Direction

VMware vCenter Log Insight is designed specifically for log analysis and allows you to automatically manage, process, search, and consolidate data for system monitoring, troubleshooting, and troubleshooting. The product collects unstructured data from various components IT infrastructures such as applications, firewalls, network devices, operating systems, virtual storage systems machines, and hosts. VMware vCenter Log Insight supports streaming data, creating current state queries, and defining real-time schemas that can be freely converted to any format. In addition, VMware vCenter Log Insight has the performance and scalability to analyze and visualize multi-terabyte data.

"Dynamic virtual and cloud environments create large amounts of structured and unstructured data that needs to be analyzed and visible across IT infrastructure," said Ramin Sayar, VP and Director of Cloud Management at VMware. - With VMware vCenter Log Insight, we were able to take data analytics capabilities to the next level. Using the new product, IT administrators and project teams can receive operational reports on all generated data. Integrating VMware vCenter Log Insight with VMware vCenter Operations makes it easier to troubleshoot virtual and cloud environments. "

Compliance

VMware vCenter Log Insight fully meets the needs of organizations operating in VMware environments. The product is compatible with VMware vSphere, which allows you to use installed dashboards and reports. VMware vCenter Log Insight integration with VMware vCenter Operations enables organizations to consolidate and analyze both structured and unstructured data for continuous process management. VMware vCenter Log Insight can be run directly from VMware vCenter Operations to determine the cause of the problem in the IT infrastructure. VMware vCenter Log Insight can also convert log data into KPIs that are sent to VMware vCenter Operations so that administrators can view detailed log information on a single dashboard.

Module

The product is delivered as a Virtual Appliance, has an intuitive graphical user interface, search and query panels, predefined report and dashboard forms.

2010: Updated VMware vCenter Licensing Model: VM Value Calculation

VMware introduced a new licensing model for the VMware vCenter family of products in July 2010. Now the cost of licenses will be calculated in relation to virtual machines, and not physical hardware. The move is logical as more companies move to a virtualization and cloud computing model, and virtual machines become the standard unit of measurement for infrastructure deployment. Therefore, when licensing is based on hardware, the license calculation is significantly complicated during the migration of the virtual machine to the data center.

This model provides the best balance between the cost of software and the benefits that the user ultimately receives. Thanks to the innovation, computing environments will no longer be tied to specific physical media - it will be possible to move them freely from one equipment to another, without additional costs. The new licenses will be available from September 1, 2010 only for VMware vCenter products.

To provide the full suite of solutions needed, VMware has expanded its software suite to help automate the management of dynamic virtualized systems.

• VMware vCenter Configuration Manager (formerly EMC Ionix Application Stack Manager and EMC Ionix Server Configuration Manager) - Ensures high levels of compatibility, avoids violations, or incorrect configuration changes by automating manual configuration settings on virtual and physical servers and desktops.
• VMware vCenter Application Discovery Manager (formerly EMC Ionix Application Discovery Manager) - Quickly and accurately maps application relationships, thereby facilitating application migrations, ensuring clear planning for infrastructure consolidation, and best virtualizing critical business applications.

Cost and availability

VMware vCenter products will be available in packages based on the number of virtual machines. Such licenses for VMware vCenter AppSpeed, VMware vCenter Chargeback and VMware vCenter Site Recovery Manager will be available from September 1, 2010, the new licensing model for VMware vCenter CapacityIQ will take effect in late 2010 - early 2011.

The cost of vCenter Application Discovery Manager and vCenter Configuration Manager products per virtual machine with basic configurations starts at $50,000.