VMware recently announced a fix for a critical directory traversal vulnerability in its VMware View desktop virtualization product.
"The vulnerability was discovered by Digital Defense, a security service provider," writes Threatpost's Michael Mimoso. "Senior vulnerability researcher Javier Castro said the company’s vulnerability research team discovered the flaw in some customers’ network scan results. ... The flaw was reported to VMware in September, and the update was released earlier this week for View Connection Server and View Security Server."
"While conducting a series of vulnerability tests on VMware View systems, DDI found that a guest user who had been granted access to specific files on a VM could prompt the VM to retrieve files that the user should not have access to," writes Network World's Brandon Butler. "Basically external users had access to internal network files. This means a potential intruder could access file systems on a web server to access sensitive hashed passwords, for example. DDI found the directory traversal flaw in both a connection server and a security server running VMware view."
"In its advisory, VMware thanked Digital Defense for finding the vulnerability," writes The VAR Guy's DH Kass. "According to VMware, clients unable to apply the View patch are advised either to disable the View Security server—users can connect to the Connection Server through a VPN -- or to block directory traversal attacks with an intrusion detection/prevention system or an application firewall."