July 2, 2019 FN21

Man-in-the-middle Vulnerability related to vCenter [CVE-2019-11242]

Problem Description

A man-in-the-middle vulnerability related to vCenter access was found in Cohesity DataPlatform version 5.x and 6.x prior to 6.1.1c. Cohesity clusters did not verify TLS certificates presented by vCenter.

Impact

This vulnerability could expose Cohesity user credentials configured to access vCenter. Exposure is limited to vCenter only environments that have strict TLS certificate requirements.

Resolution

To remediate the vulnerability, Cohesity recommends upgrading to Cohesity DataPlatform 6.1.1e or above. Customers currently on release 6.1.1c or above are not vulnerable to this issue and can disregard this notice.

Additional Information:

Software downloads are available here: http://downloads.cohesity.com If you have any questions, please reach out to Cohesity Support.

email: support@cohesity.com

Vulnerability Type

Missing SSL Certificate Validation

Vendor of Product

Cohesity, Inc

Affected Product Code Base

Cohesity DataPlatform - Affected versions are Cohesity DataPlatform versions 5.x, 6.x prior to 6.1.1c. This is remediated in versions 6.1.1c and 6.2.

Affected Component

vCenter communications.

Attack Type

Remote

Impact Information Disclosure

True

Attack Vectors

To exploit the vulnerability, someone must be able to present the Cohesity cluster with a forged vCenter TLS certificate.

Has vendor confirmed or acknowledged the vulnerability?

True

Discoverer

Cohesity acknowledges the efforts of Karlsruhe Institute of Technology researcher Thorsten Tuellmann who identified the vulnerability and participated in its responsible disclosure.