VMware ESXi busybox command injection vulnerability [CVE-2017-16544]

CVE number – CVE-2017-16544

VMware ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.

An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file. 

To remediate CVE-2017-16544 update/upgrade to the versions listed below.

ESXi 6.7 – Fixed in version – ESXi670-201904101-SG

ESXi 6.5 – Fixed in version – ESXi650-201907101-SG

ESXi 6.0 – Fixed in version – ESXi600-201909101-SG

Fixed Version(s) and Release Notes:

ESXi 6.7 U3
Downloads and Documentation:

https://my.vmware.com/web/vmware/details?productId=742&downloadGroup=ESXI67U3
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u3-release-notes.html

ESXi 6.7 U2
Downloads and Documentation:

https://my.vmware.com/group/vmware/details?productId=742&downloadGroup=ESXI67U2
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u2-release-notes.html

ESXi 6.7 U1

Downloads and Documentation:

https://my.vmware.com/web/vmware/details?downloadGroup=ESXI67U1&productId=742
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-671-release-notes.html

ESXi 6.5 U3
Downloads and Documentation:

https://my.vmware.com/web/vmware/details?downloadGroup=ESXI65U3&productId=614
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-esxi-65u3-release-notes.html

ESXi 6.5, Patch Release ESXi650-201806001
Downloads and Documentation:

https://my.vmware.com/group/vmware/patch
https://kb.vmware.com/s/article/55912

ESXi 6.0, Patch Release ESXi600-201807001 
Downloads and Documentation:

https://my.vmware.com/group/vmware/patch
https://kb.vmware.com/s/article/53627

ESXi 6.0, Patch Release ESXi600-201909001
Downloads and Documentation:

https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201909001.html

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: