-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2014-039

Title: VMware Security Advisories (VMSA-2014-0003)

Version history:
22.04.2014 Initial publication


Summary
=======

VMware vSphere Client updates address security vulnerabilities:

a. vSphere Client Insecure Client Download
vSphere Client contains a vulnerability in accepting an updated vSphere Client file from an untrusted source. The vulnerability may allow a host to direct vSphere Client to download and execute an arbitrary file from any URI. This issue can be exploited if the host has been compromised or if a user has been tricked into clicking a malicious link.

b. VMware vSphere Client spoofing vulnerability
VMware vSphere Client contains a vulnerability in the validation of the server security certificate. Exploitation of the issue may lead to vCenter server being spoofed. A user would have to be tricked into clicking a malicious link.


CVE-2014-1209 
CVSS v2 Base Score: 9.3 (HIGH) (AV:N/AC:M/AU:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 8.6

CVE-2014-1210
CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/AU:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6


Vulnerable systems
==================

vSphere Client 5.1 
vSphere Client 5.0 
vSphere Client 4.1 
vSphere Client 4.0

What can you do?
================
Apply updates [1].

More information
================
[1] http://www.vmware.com/security/advisories/VMSA-2014-0003.html
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1209 
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1210

Best regards,
CERT-EU (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJTVm2fAAoJEPpzpNLI8SVoRyAQAKoINxTh+myHJy+EF8xwg4UW
+06x6cKPx3mxDsGHy6nxop81fyHr4CZBW549SsfCq7mUfA1vkpHAxBp4rz4m80QE
9c89hqfE5f5YMAmNoIbhtgivDDUfFj6ILZQYl0uOT4AEgjdhzbDtjnFeZ3EWy4Z2
69w1FYbSI4rtqN1F/bSZlv4wFQep5Y1Akr5xTIqf3BoDs5oTRm42ZWOA28fgC+0h
nCKxx4twuBZZMidlfElwSS7CrKr69lXelDBl4bkG66m06sIXqMfGN41fqzMYF8j+
3VLXknh3odBzdZE4MVJ91Q2rOf/1shJogceXteIQWAv6XuUNB3cgEwwSHO6FWpZI
sfigja+80zIYJOZFqYBt4sNeCBSbL5qFiRPOgfHgEZg1K7LL7hjFITaIIzo1FJdW
AUGdyl6vf0G1Iphfyss0Kuv3I0DVpmE5m/AiyZvBm1UI86BOZNSFSCInqTTYrOt8
J90bx7hp7F7SwNEfY+RsyoIWdi+gR2OIUgv+3mWmsVxMWIG5BRbajeiaKZ51XLCd
081/whz3dFyzIxu4N8bDgx6EhFNzvPjvBDKQ6G6TQZwLxD+Js6DTzQjClGaH/kRx
QJT8BbJT6SR8N0vZeWm2Gs+a+SYCWWwg17lD9HUYQ9NDIFlr1yq4xtL0bKJgi0Co
D2PKhPkDbI1k5FwwPo1w
=PCAu
-----END PGP SIGNATURE-----