The post said the vulnerability affects both the View connection server and the View security server and recommended that customers immediately update both servers to a fixed version of View.
Users who are not able to update their View servers are advised to follow these options:
– Disable security server. This will prevent exploitation of the vulnerability over untrusted remote networks. To restore functionality for remote users, allow them to connect the connection server via VPN
– Block directory transversal attempts. You may be able to prevent exploits of this flaw by blocking transversal attacks with and intrusion protection system or application layer firewall
The vulnerability was first reported to VMware in October by the vulnerability research team of Digital Defense Inc., a Texas-based digital risk auditing firm.
In the process of conducting a vulnerability test on VMware View systems, DDI found that a guest user who had been granted access to specific files on a virtual machine could prompt the VM to retrieve files that other users should not have access to, said Javier Castro, senior vulnerability researcher at DDI said in an interview with Computerworld.
A potential intruder could access file systems on a Web server to get hold of hashed passwords, he said.