CVE-2017-4947
📋 TL;DR
This CVE describes a remote code execution vulnerability in VMware vRealize Automation and vSphere Integrated Containers via insecure deserialization in Xenon. Attackers can exploit this to execute arbitrary code on affected appliances without authentication. Organizations running vulnerable versions of these VMware products are at risk.
💻 Affected Systems
- VMware vRealize Automation
- VMware vSphere Integrated Containers
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the affected VMware appliance, allowing attackers to install persistent backdoors, steal credentials, pivot to other systems, and disrupt operations.
Likely Case
Remote code execution leading to data theft, service disruption, and lateral movement within the network.
If Mitigated
Limited impact if network segmentation and strict access controls prevent external access to vulnerable interfaces.
🎯 Exploit Status
Exploitation is straightforward due to public proof-of-concept code and the unauthenticated nature of the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: vRealize Automation 7.4 or later, vSphere Integrated Containers 1.3 or later
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2018-0006.html
Restart Required: Yes
Instructions:
1. Download the appropriate patch from VMware's support portal. 2. Apply the patch following VMware's documentation. 3. Restart the affected services or appliance as required.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to the Xenon service port (typically 8080/8443) to trusted management networks only.
Use firewall rules to block external access to port 8080/tcp and 8443/tcp on affected appliances.
🧯 If You Can't Patch
- Isolate affected systems from internet and untrusted networks using firewall rules.
- Implement strict network segmentation and monitor for suspicious activity targeting Xenon services.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of vRealize Automation or vSphere Integrated Containers against affected versions.Check Version:
For vRealize Automation: Check the appliance management interface. For vSphere Integrated Containers: Run 'vic-machine version' command.Verify Fix Applied:
Verify the version is updated to vRealize Automation 7.4+ or vSphere Integrated Containers 1.3+.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from Xenon service
- Unexpected network connections from the appliance
Network Indicators:
- Traffic to Xenon service ports (8080/8443) from untrusted sources
- Suspicious payloads in HTTP requests
SIEM Query:
source="vmware-appliance" AND (dest_port=8080 OR dest_port=8443) AND suspicious_payload🔗 References
- http://www.securityfocus.com/bid/102852
- http://www.securitytracker.com/id/1040289
- http://www.securitytracker.com/id/1040290
- https://www.vmware.com/security/advisories/VMSA-2018-0006.html
- http://www.securityfocus.com/bid/102852
- http://www.securitytracker.com/id/1040289
- http://www.securitytracker.com/id/1040290
- https://www.vmware.com/security/advisories/VMSA-2018-0006.html
