Hi All,
I have a quick question regarding the security of the updates/patches that update manager uses.
Do you know if these updates are signed by VMware and then checked before they are deployed?
I can't remember the specifics but I recall some security discussions (not here) last year about OS updates that weren't being signed or checked allowing for dubious updates to be applied to servers and even outdated patches being reapplied to open up old security holes. (I think Microsoft (of all people) have adopted a correct methodology however Red Hat had problems with this....)
Does anyone know where I can get further information on update manager and how this process works. At the moment I am only focused on the VMware based ESX(i) patches and not the Guest OS patches.
Cheers
Altonius
PS. Thanks to texiwill in advance as I'm sure there'll be some kind of response from you to do with this!! You're podcast is great!!
Hi,
Yes, patches downloaded through VMware Update Manager are digitally signed and verified. Patches will not be installed that fail the verification step. You can actually take apart a patch and look at the signatures or manually check the signature of a patch. The signatures are using gnupg. Here is one of the public keys http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4789B619
Best regards,
--Ksl
Kirk Larsen
Product Security Officer
VMware Inc.
The VMware Update Manager service uses Shavlik technology for getting its updates.
So if you are familiar with Shavlik's products (they wrote the Microsoft Baseline Security Analyzer engine for Microsoft), then you know that these updates are indeed valid.
Check this link: http://www.vmware.com/pdf/vi3_vum_10_admin_guide.pdf
Page 8 talks about the whole process.
Cheers,
Jase McCarty
Co-Author of VMware ESX Essentials in the Virtual Data Center
(ISBN:1420070274) from Auerbach
Please consider awarding points if this post was helpful or correct
Thanks Jase,
That's almost hit the nail on the head. Whilst I understand who Shavlik and VMware are, and their reputation, the unknown is still whether the updates are signed, and if update manager (and the esxupdate process) declines updates if they're not signed.
I have since found the article that outlines this:
http://voices.washingtonpost.com/securityfix/2008/07/holes_in_software_autoupdate_f_1.html
And the readme file for the exploit tool lists the below applications as not signing their applications, as you can see some of these are large reputable organisations who I would have thought would have the updating process all sorted out by now. This is why I am curious to understand how VMware handle their updates.
- Java plugin - Winzip - MacOS - OpenOffices - iTunes - notepad++
from: http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt
Hi,
Yes, patches downloaded through VMware Update Manager are digitally signed and verified. Patches will not be installed that fail the verification step. You can actually take apart a patch and look at the signatures or manually check the signature of a patch. The signatures are using gnupg. Here is one of the public keys http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4789B619
Best regards,
--Ksl
Kirk Larsen
Product Security Officer
VMware Inc.
Thanks Kirk, that was spot on what I was after.