Heads up! vCloud Automation Center remote privilege vulnerability

A few days ago, actually the same day as vRealize Automation Center (vRA) 6.2 was release 2014-12-09, VMware released a security advisory found here for a critical vCloud Automation Center (vCAC) remote privilege escalation.

This address a vulnerability in the VMware Remote Console (VMRC) feature, used to get virtual machine (VM) console access via vCenter Server, and the vulnerability makes it possible for an authenticated vCAC user to get administrative access to the vCenter Server.

However, if vCloud Director (vCD) is used as a proxy to connect to vCenter Server you are not affected.

Screen Shot 2014-12-12 at 09.01.41

All vCAC 6.0 and 6.1 releases are affected but not the newest vRA 6.2 release which is good. To fix the issue you can either download and apply a patch which removes the “Connect (by) Using VMRC” option or simply remove the feature in either your blueprint or via the entitlements.

Screen Shot 2014-12-12 at 09.06.03


Use “Connect (by) Using RDP” for vCAC 6.0 and 6.1 VM management until a patch has been released by VMware.

4 pings

Comments have been disabled.