VMware ESXi busybox command injection vulnerability [CVE-2017-16544]
CVE number – CVE-2017-16544
VMware ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.
An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file.
To remediate CVE-2017-16544 update/upgrade to the versions listed below.
ESXi 6.7 – Fixed in version – ESXi670-201904101-SG
ESXi 6.5 – Fixed in version – ESXi650-201907101-SG
ESXi 6.0 – Fixed in version – ESXi600-201909101-SG
Fixed Version(s) and Release Notes:
ESXi 6.7 U3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=742&downloadGroup=ESXI67U3
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u3-release-notes.html
ESXi 6.7 U2
Downloads and Documentation:
https://my.vmware.com/group/vmware/details?productId=742&downloadGroup=ESXI67U2
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-67u2-release-notes.html
ESXi 6.7 U1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=ESXI67U1&productId=742
https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-esxi-671-release-notes.html
ESXi 6.5 U3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=ESXI65U3&productId=614
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-esxi-65u3-release-notes.html
ESXi 6.5, Patch Release ESXi650-201806001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://kb.vmware.com/s/article/55912
ESXi 6.0, Patch Release ESXi600-201807001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://kb.vmware.com/s/article/53627
ESXi 6.0, Patch Release ESXi600-201909001
Downloads and Documentation:
https://my.vmware.com/group/vmware/patch
https://docs.vmware.com/en/VMware-vSphere/6.0/rn/esxi600-201909001.html
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.