VMware vSphere Data Protection 5.5.x/5.8.x/6.0.x/6.1.x SSH Key credentials management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 9.1 | $0-$5k | 0.00 |
Summary
A vulnerability categorized as critical has been discovered in VMware vSphere Data Protection 5.5.x/5.8.x/6.0.x/6.1.x. This impacts an unknown function of the component SSH Key. The manipulation results in credentials management. This vulnerability is known as CVE-2016-7456. It is possible to launch the attack remotely. No exploit is available. It is advisable to implement a patch to correct this issue.
Details
A vulnerability, which was classified as critical, was found in VMware vSphere Data Protection 5.5.x/5.8.x/6.0.x/6.1.x (Virtualization Software). Affected is an unknown functionality of the component SSH Key. The manipulation with an unknown input leads to a credentials management vulnerability. CWE is classifying the issue as CWE-255. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
VMware vSphere Data Protection (VDP) 5.5.x though 6.1.x has an SSH private key with a publicly known password, which makes it easier for remote attackers to obtain login access via an SSH session.
The bug was discovered 12/20/2016. The weakness was published 12/20/2016 by Marc Strobel as VMSA-2016-0024 as confirmed advisory (Website). The advisory is shared for download at vmware.com. The public release has been coordinated with the vendor. This vulnerability is traded as CVE-2016-7456 since 09/09/2016. It is possible to launch the attack remotely. The successful exploitation needs a authentication. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1552.
It is declared as highly functional. As 0-day the estimated underground price was around $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 96338 (VMware vSphere Data Protection Private SSH Key Authentication Bypass (VMSA-2016-0024)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Misc. and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 87292 (vSphere Data Protection SSH Key-Based Authentication Vulnerability (VMSA-2016-0024)).
Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at Tenable (96338), SecurityFocus (BID 94990†) and SecurityTracker (ID 1037502†). Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.vmware.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 9.3VulDB Meta Temp Score: 9.1
VulDB Base Score: 8.8
VulDB Temp Score: 8.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Credentials managementCWE: CWE-255
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Highly functional
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 96338
Nessus Name: VMware vSphere Data Protection Private SSH Key Authentication Bypass (VMSA-2016-0024)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 70063
OpenVAS Name: VMSA-2016-0024: vSphere Data Protection (VDP) updates address SSH Key-Based authentication issue (dpnid)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
MetaSploit ID: vmware_vdp_known_privkey.rb
MetaSploit Name: VMware VDP Known SSH Key
MetaSploit File: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Timeline
09/09/2016 🔍12/20/2016 🔍
12/20/2016 🔍
12/20/2016 🔍
12/20/2016 🔍
12/20/2016 🔍
12/21/2016 🔍
12/29/2016 🔍
01/09/2017 🔍
04/24/2025 🔍
Sources
Vendor: vmware.comAdvisory: VMSA-2016-0024
Researcher: Marc Strobel
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2016-7456 (🔍)
GCVE (CVE): GCVE-0-2016-7456
GCVE (VulDB): GCVE-100-94620
SecurityFocus: 94990 - VMware vSphere Data Protection CVE-2016-7456 Authentication Bypass Vulnerability
SecurityTracker: 1037502
scip Labs: https://www.scip.ch/en/?labs.20060413
Entry
Created: 12/21/2016 09:57Updated: 04/24/2025 03:58
Changes: 12/21/2016 09:57 (82), 07/12/2019 18:35 (5), 09/19/2024 10:28 (19), 04/24/2025 03:58 (2)
Complete: 🔍
Cache ID: 216:2E6:103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.