Recently, VMware has released a patch for vSphere Data Protection (VDP). The hotfix changes the hard-coded SSH key that could potentially allow a remote hacker to gain unauthorised root access to the virtual appliance.
VDP is a VMware product designed to run as an open virtual appliance (OVA for short). It can be integrated with the VMware vCenter Server and allows for centralised management of backup jobs. Up to 100 virtual machines can be managed at the same time.
VMware reports that that the VDP appliance contains a static SSH private key that has a known password. The company has warned users that an attacker may abuse this to gain access to the appliance with root privileges, which could fully compromise it.
According to the company, this is a critical vulnerability. To mend it, they have released a hotfix that changes the default SSH keys and resets the password to a new one.
In these modern times, developing devices with hard-coded access credentials counts as a serious data security weakness. Unfortunately, this was commonplace in the past, and several vendors are making an effort to correct their previous mistakes.
On Tuesday, VMware also issued a fix for a stored cross-site scripting vulnerability in vSphere Hypervisor (ESXi), another one of their products. The company rates the flaw as important.
The company said that a specially crafted VM can be imported and used as a method to gain unauthorised access, so importing VMs from untrusted sources is advised against.