VMware Cloud Community
altonius_au
Enthusiast
Enthusiast
‎03-29-2009 04:06 PM
Jump to solution

Update Manager Security

Hi All,

I have a quick question regarding the security of the updates/patches that update manager uses.

Do you know if these updates are signed by VMware and then checked before they are deployed?

I can't remember the specifics but I recall some security discussions (not here) last year about OS updates that weren't being signed or checked allowing for dubious updates to be applied to servers and even outdated patches being reapplied to open up old security holes. (I think Microsoft (of all people) have adopted a correct methodology however Red Hat had problems with this....)

Does anyone know where I can get further information on update manager and how this process works. At the moment I am only focused on the VMware based ESX(i) patches and not the Guest OS patches.

Cheers

Altonius

PS. Thanks to texiwill in advance as I'm sure there'll be some kind of response from you to do with this!! You're podcast is great!!

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
kirklarsen
VMware Employee
VMware Employee
‎03-30-2009 03:43 AM
Jump to solution

Hi,

Yes, patches downloaded through VMware Update Manager are digitally signed and verified. Patches will not be installed that fail the verification step. You can actually take apart a patch and look at the signatures or manually check the signature of a patch. The signatures are using gnupg. Here is one of the public keys http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4789B619

Best regards,

--Ksl

Kirk Larsen

Product Security Officer

VMware Inc.

View solution in original post

0 Kudos
4 Replies
Jasemccarty
Immortal
Immortal
‎03-29-2009 07:42 PM
Jump to solution

The VMware Update Manager service uses Shavlik technology for getting its updates.

So if you are familiar with Shavlik's products (they wrote the Microsoft Baseline Security Analyzer engine for Microsoft), then you know that these updates are indeed valid.

Check this link: http://www.vmware.com/pdf/vi3_vum_10_admin_guide.pdf

Page 8 talks about the whole process.

Cheers,

Jase McCarty

http://www.jasemccarty.com

Co-Author of VMware ESX Essentials in the Virtual Data Center

(ISBN:1420070274) from Auerbach

Please consider awarding points if this post was helpful or correct

Jase McCarty - @jasemccarty
altonius_au
Enthusiast
Enthusiast
‎03-29-2009 07:56 PM
Jump to solution

Thanks Jase,

That's almost hit the nail on the head. Whilst I understand who Shavlik and VMware are, and their reputation, the unknown is still whether the updates are signed, and if update manager (and the esxupdate process) declines updates if they're not signed.

I have since found the article that outlines this:

http://voices.washingtonpost.com/securityfix/2008/07/holes_in_software_autoupdate_f_1.html

And the readme file for the exploit tool lists the below applications as not signing their applications, as you can see some of these are large reputable organisations who I would have thought would have the updating process all sorted out by now. This is why I am curious to understand how VMware handle their updates. 

- Java plugin
- Winzip
- MacOS
- OpenOffices
- iTunes
- notepad++

from: http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt

0 Kudos
kirklarsen
VMware Employee
VMware Employee
‎03-30-2009 03:43 AM
Jump to solution

Hi,

Yes, patches downloaded through VMware Update Manager are digitally signed and verified. Patches will not be installed that fail the verification step. You can actually take apart a patch and look at the signatures or manually check the signature of a patch. The signatures are using gnupg. Here is one of the public keys http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4789B619

Best regards,

--Ksl

Kirk Larsen

Product Security Officer

VMware Inc.

0 Kudos
altonius_au
Enthusiast
Enthusiast
‎03-30-2009 08:53 AM
Jump to solution

Thanks Kirk, that was spot on what I was after.

0 Kudos