About VMSA, CVE, CVSS and more

A while back I was alerted to something remarkable regarding the VMware security bulletins. But let me first provide some background on these bulletins.

Regularly VMware publishes VMware Security Announcements, also known as VMSA’s.

Fig. 1 – Example VMSA

As VMware states; “VMware Security Advisories document remediation for security vulnerabilities that are reported in VMware products”. The bulletins are created by the VMware Security Response Center (VSRC). The VSRC works closely with customers and security researchers on the analysis and remediation of security issues within VMware products. After validating a report, the VSRC works with VMware R&D on providing solutions. Upon the remediation of an issue a VMSA will be released.
If you don’t receive notifications on the release of new VMSA’s, on this page (or here) you can sign up for the Security Advisories and fond more information.

The latest security advisories can be found on this page. A comprehensive overview over the past years can be found here.

VMware Security Advisories (example) have a fixed format and besides a unique Advisory ID (year plus a sequence number) contain six sections: Impacted products, Introduction, an overview of the vulnerabilities, References, Change log and a Contact section.

Advisories will be sometimes updated, the Advisory-ID has been extended with a point and a number. See Fig. 1; VMSA-2019-0010.3, the Change log section will show the details regarding the updates.

Section 3. is very informative, as it contains a description, known attack vectors, resolutions, workarounds and a very practical matrix where all information converges. Some vulnerabilities don’t affect all version of a product, e.g. ESXi, the matrix shows at a glance which versions are vulnerable, and – if applicable – which is the fixed version and available workarounds.

One will also notice that most vulnerabilities contain a CVE identifier and a CVSSV3 value.

CVE identifiers, like CVE-2019-5521, are published on https://cve.mitre.org by the Mitre Corporation, an American not-for-profit organization. It manages federally funded research and development centers (FFRDCs) supporting several U.S. government agencies.
The CVE system (Common Vulnerabilities and Exposures) is a list of entries—each containing an identification number (the CVE identifier), a description, and at least one public reference—for publicly known Cybersecurity vulnerabilities. “CVE identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.”

You may have noticed that CVE information can also be found (example) on https://nvd.nist.gov which is the National Vulnerability Database (NVD) from the U.S. government. The CVE List feeds NVD, which then builds upon the information included in CVE Entries to provide enhanced information for each entry such as fix information, severity scores, and impact ratings. As part of its enhanced information, NVD also provides advanced searching features such as by OS; by vendor name, product name, and/or version number; and by vulnerability type, severity, related exploit range, and impact.

The CVSSV3 value refers to the Common Vulnerability Scoring System (CVSS), an open standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. The system has undergone several revisions since its introduction, currently being on version 3.1, hence the V3 in CVSSV3. This page provides a good introduction to the scoring system, as well as some calculators. The Severity ratings run from 0 (None) to 10 (Critical).

Back to the introduction of this post. As you know, besides all kinds of products, VMware has also released Photon OS, VMware’s own Linux container host which can run on various platforms, ranging from Raspberry Pi to the major Cloud platforms. Photon OS is also the foundation of the vCenter Server Appliance (vCSA) 6.5 and up. Vulnerabilities affecting Photon OS are not published in VMSA bulletins, with one exception: VMSA-2016-0012.
For vCSA 6.5 and newer, fixes for the Photon OS come as part of upgrades or patches. Luckily, there is one page where you can get an overview of the Photon OS vulnerabilities related to the CVE database, see here.

For all other VMware products, the VMSA bulletins will be your guide.

More information on VMware product Security can be found in this nice Technical Whitepaper.

As always, I thank you for reading.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: