VIRTUAL DESKTOP STRATEGIES

Pentera Finds Two Zero-Day Vulnerabilities in VMWare vCenter, Exposing More Than 500,000 Companies Globally

Pentera | April 04, 2022

Pentera_Finds_Two
Pentera, the leader in Automated Security Validation (ASV), today announced its Pentera Labs team discovered two zero-day vulnerabilities. If exploited by threat actors, the critical attack path may result in the ability to disable, disrupt and destroy VMware vCenter managed environments in over 500,000 organizations globally.

The vulnerabilities were reported to VMware by Senior Security Researcher Yuval Lazar and released under CVE-2022-22948 and CVE-2021-22015 with a patch. Pentera Labs’ technical review of the vulnerabilities can be found here. Discovered vulnerabilities require immediate patching to prevent malicious actors from achieving remote access to vCenter and inflicting widespread damage on organizations.

Installed in thousands of organizations worldwide and managing some of their most critical asset and core systems, VMware vCenter Servers are a high-priority target for cybercriminals. Once compromised, the ease and convenience that vCenter offers for managing virtualized hosts in enterprise environments will play into the adversary’s hands, providing centralized access and widespread Impact.

“As part of our daily work, we research the entire enterprise IT attack surfaces, including the exploitability of virtual workload environments such as vCenter and ESXi and discovered zero-day vulnerabilities,” said Alex Spivakovsky, VP of Research at Pentera. “We’re glad to have discovered and immediately disclosed these vulnerabilities to strengthen the defender community and have not seen evidence that malicious actors exploited it at this time.”

Pentera’s interest in VMWare’s vCenter started because of previously reported vulnerabilities, increasing demand from customers and threats observed in the wild, most notably recent reports of a python ransomware strain targeting ESXi. The team will continue to identify potential vulnerabilities within the platform that could affect businesses globally.

Security readiness is not determined by a single vulnerability or the security team’s ability to discover and patch it. Our award-winning security validation platform autonomously emulates the entire cyberattack kill chain and provides peace of mind for security leaders facing a multitude of internal and external attacks.”

Pentera co-founder and CTO, Dr. Arik Liberzon


About Pentera
Pentera is the category leader for Automated Security Validation, allowing every organization to easily test the integrity of all cybersecurity layers, unfolding accurate, current security exposures at any moment, at any scale. Thousands of security professionals and service providers worldwide use Pentera to guide remediation and close security gaps before they are exploited.

Spotlight

VMware vSphere 6 continues to enhance the performance features and capabilities of the vSphere platform, making it the most robust and highest-performing cloud platform. vSphere 6 supports larger virtual machines and physical hosts to accommodate even the most demanding workloads. It also introduces several new features that reduce latency and increase throughput for network, storage, and compute. This paper first looks at the improvements made to VMware vCenter Server™, then to the core platform, storage, and network.


Other News
VMWARE

VMware Named a Leader in Three Unified Endpoint Management IDC MarketScape Vendor Assessments

VMware | June 17, 2022

VMware Inc. a leading innovator in enterprise software, today announced it has been positioned as a Leader in three recent IDC MarketScape reports related to the Unified Endpoint Management (UEM) space: IDC MarketScape: Worldwide Unified Endpoint Management Software 2022 Vendor Assessment IDC MarketScape: Worldwide Unified Endpoint Management Software for Apple Devices 2022 Vendor Assessment IDC MarketScape: Worldwide Unified Endpoint Management Software for Ruggedized/Internet of Things Device Deployments 2022 Vendor Assessment The evaluated solution, VMware Workspace ONE, enables customers to automate management and security for all endpoints (including mobile, desktops, AR/VR, and mission-critical frontline devices) running any OS (including iOS/iPadOS, Android, Windows 10/11, macOS, Linux, and Chrome OS) and any app, across diverse use cases, all from an integrated digital workspace platform. The UEM vendor assessment report states, “Workspace ONE addresses a broad range of device types and use cases across vertical industries, from traditional mobility management to modern Windows PC and Mac management and IoT device management. The UEM component of Workspace ONE is also part of a broader product portfolio from VMware's end-user computing group, including VMware Horizon desktop virtualization, endpoint and application analytics, and endpoint security based on technology acquired in the purchase of Carbon Black. VMware made a number of improvements and advancements in Workspace ONE in 2021, including augmented management capabilities for Apple's macOS devices, as well as Windows management.” “As organizations evolve to support a hybrid workplace, they must establish an engaging and more secure experience across all devices. VMware Workspace ONE supports this mission by enabling customers to automate management of every device for any use case. This latest recognition from the IDC MarketScape reflects our continued drive to provide a single solution for our customers that can help IT secure a fully distributed workforce.” Shankar Iyer, senior vice president and general manager, End-User Computing, VMware To access an excerpt from the “IDC Marketscape: Worldwide Unified Endpoint Management Software 2022 Vendor Assessment” (doc #US48325122, May 2022), click here. An excerpt of the “IDC MarketScape: Worldwide Unified Endpoint Management Software for Apple Devices 2022 Vendor Assessment” (doc #US48325222, May 2022) report is available here. An excerpt of the “IDC MarketScape: Worldwide Unified Endpoint Management Software for Ruggedized/Internet of Things Device Deployments 2022 Vendor Assessment” (doc #US48325322, May 2022) report is available here. About IDC MarketScape: IDC MarketScape vendor assessment model is designed to provide an overview of the competitive fitness of ICT (information and communications technology) suppliers in a given market. The research methodology utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each vendor’s position within a given market. IDC MarketScape provides a clear framework in which the product and service offerings, capabilities and strategies, and current and future market success factors of IT and telecommunications vendors can be meaningfully compared. The framework also provides technology buyers with a 360-degree assessment of the strengths and weaknesses of current and prospective vendors. About VMware VMware software powers the world’s complex digital infrastructure. The company’s cloud, networking and security, and digital workspace offerings provide a dynamic and efficient digital foundation to customers globally, aided by an extensive ecosystem of partners. Headquartered in Palo Alto, California, VMware is committed to being a force for good, from its breakthrough innovations to its global impact.

Read More

VMWARE

Broadcom in Talks to Acquire Cloud Company VMware

VMware | May 23, 2022

Broadcom Inc. is in talks to acquire VMware Inc., the cloud-computing company backed by billionaire Michael Dell, according to people familiar with the matter, setting up a blockbuster tech deal that would vault the chipmaker into a highly specialized area of software. The discussions are ongoing and there’s no guarantee they will lead to a purchase, said the people, who asked not to be identified because the matter isn’t public. VMware currently has a market valuation of about $40 billion. Assuming a typical premium, the potential deal price would be higher, though the terms under consideration couldn’t be learned. Shares in VMware rose 15% in premarket trading on Monday, which would give the company a market value of about $46 billion. Broadcom, which has a valuation of about $222 billion, fell 2.4%. The transaction would extend a run of acquisitions for Broadcom Chief Executive Officer Hock Tan, who has built one of the largest and most diversified companies in the chip industry. Software has been a key focus in recent years, with Broadcom buying CA Technologies in 2018 and Symantec Corp.’s enterprise security business in 2019. A representative for VMware declined to comment. A representative for Broadcom wasn’t available for comment. “Investors have been increasingly focused on Broadcom’s appetite for another strategic or platform enterprise software acquisition—especially given the recent compression in software valuation, “ Wells Fargo analysts wrote after Bloomberg News’s report. “An acquisition of VMware would be considered as making strategic sense; consistent with Broadcom’s focus on building out a deepening enterprise infrastructure software strategy.” Broadcom makes a wide range of electronics, with its products going into everything from the iPhone to industrial equipment. But data centers have become a critical source of growth, and bulking up on software gives the company more ways to target that market. Broadcom was previously in talks to acquire SAS Institute Inc., a closely held software company valued at $15 billion to $20 billion. But those discussions ended last year without a deal.

Read More

VIRTUAL DESKTOP TOOLS

Flexxible IT and xFusion Partner to Enable a More Affordable Hybrid Workspaces in the Enterprise

Flexxible I | June 18, 2022

Flexxible IT, the global leader of Desktop as a Service (DaaS) delivery and services, and xFusion Europe, a global provider of computing power infrastructure and services, are announcing today a strategic alliance in the European market. Flexxible IT and xFusion can deliver a fully redundant hardware-based hybrid workspace environment built on any end-user compute (EUC) vendor that includes an all-inclusive, pay monthly, fully managed hybrid infrastructure solution. Flexxible IT combines its deep technical expertise, global industry knowledge, and best-in-class technology to deliver comprehensive and differentiated hybrid solutions. Partnering with xFusion furthers and supports Flexxible IT's focus on providing hybrid workspace solutions based on xFusion's hardware offering a fast, simple way to deploy, analyze, automate, monitor, and manage hybrid workspaces in a multi-cloud scenario. "Flexxible IT has been a leader in the DaaS space since 2008, and we are excited to partner with xFusion to enable this use case further," said Sebastian Prat, CEO, and Founder of Flexxible IT. "Our strategic relationship presents a cost-effective hybrid workspace solution to the market to enable customers to work from anywhere, with the best end-user experience and security." "At xFusion, we strive to enable any digital transformation use case with our industry-leading compute and services, Combining xFusion's first-class hardware and Flexxible IT's outstanding technology stack and superb experience, we provide an affordable hybrid workspace solution perfect for any enterprise's end-user compute requirements." Qin Feng, CEO of xFusion About Flexxible IT Flexxible IT is the future of hybrid working, where on-premises and cloud computing converge to enable virtual desktops and applications to run from anywhere. Flexxible IT has more than 700,000 managed users and is the leading DaaS Solution in Spain. For more information, visit www.flexxible.com. About xFusion xFusion is a leading global provider of computing power infrastructure and services. xFusion serves customers in 130 countries and regions, including 211 Fortune 500 companies, covering finance, carriers, Internet, transportation, and energy industries.

Read More

VIRTUAL DESKTOP TOOLS

O-RAN ALLIANCE Announces Its June 2022 Industry Summit, Progress of Its Global PlugFest Spring 2022 and a New Set of O-RAN Demos

O-RAN ALLIANCE | June 10, 2022

The O-RAN ALLIANCE invites all interested public to join its next industry summit to be held on June 29, 2022, as an open virtual event. The 2.5-hour session will bring: Latest updates from the O-RAN ALLIANCE leadership Updates from the O-RAN ecosystem on RAN openness, intelligence, cloudification, and testing and integration Live panel discussion: Accelerating industry adoption for large-scale commercialization For more details and to join the event, please visit www.o-ran.org/events. O-RAN Global PlugFest Spring 2022 in Progress O-RAN ALLIANCE has been sponsoring its global PlugFests to enable efficient testing and integration for the O-RAN ecosystem. O-RAN Global PlugFest Spring 2022, first of the two PlugFests planned for this year, has been progressing at 3 venues: Auray OTIC and Security Lab is hosting 21 participants: Alpha Networks, Askey Computer, Calnex Solutions, Foxconn, Institute for Information Industry, Inventec, IP Infusion, ITRI, JPC connectivity, Keysight Technologies, Lions Technology, LITEON, MICAS, NKG, Pegatron, QCT, REIGN Technology, Rohde & Schwarz, Sageran, VIAVI Solutions and WNC. Telefonica, at European OTIC in Madrid, is hosting 6 participants: ADVA Optical Networking, Juniper Networks, Keysight Technologies, Precision Optical Transceivers, Ribbon and VIAVI Solutions. AT&T and DISH are hosting participants including Analog Devices, Anritsu, Calnex Solutions, Cisco, Fujitsu, HCL, IP Infusion, ITRI, Juniper Networks, Keysight Technologies, META, NSF ARA: Living Wireless Lab, NSF PAWR: AERPAW, NSF PAWR: Colosseum, PHYTunes, Rohde & Schwarz, VIAVI Solutions, VMware and Wind River; with assistance from AT&T Lab, NSF PAWR: COSMOS Lab, NSF PAWR: POWDER Lab and University of New Hampshire Interoperability Lab. All venues aim to conclude the spring PlugFest by end of June 2022. 23 new demos of O-RAN technology at the O-RAN Virtual Exhibition O-RAN ALLIANCE member companies have been progressing with their O-RAN based implementations. Latest demonstrations will soon be available at the O-RAN Virtual Exhibition. Newly added Intelligent RAN control demonstrations include: AirHop and VMware demonstrate how automation and programmability efficiently detect and remediate PCI collisions/confusions to optimize RAN performance. The proposal is a solution to current RAN frequency planning, conflict mitigation and optimization methods which are costly and time-consuming, slowing deployment of new services and decreasing performance of existing ones. Cellwize and VMware demonstrate how to bring programmability to any type of RAN deployment, including purpose-built RANs. As an example, we demonstrate how Cellwize’s rApp onboarded on VMware Centralized RIC optimizes EN-DC anchoring to maximize spectral usage in purpose-built RANs; leading to monetizable gains in performance. China Mobile and Lenovo demonstrate how video experience can be optimized using an xApp to predict the available bandwidth for a UE using the RIC and radio information reported over the E2 from the network and providing this predicted bandwidth to the Application Provider to adjust and optimize the video bitrate. Cohere and VMware demonstrate how using RAN programmability, operators can double mobile bandwidth without any changes to antennas, radio or devices. Using Cohere’s Spectrum Multiplier xApp powered by VMware Distributed RIC, now Services Providers can activate broadband in rural areas while avoiding costly changes in handsets or infrastructure. GDCNi demonstrates its RF product with high/middle/low transceiver power, performing interoperability testing with other vendors. GDCNi has rich RAN industrial experience and provides private RAN solutions for coal mines, ports, intelligent manufacturing, agriculture, and transportation, and helps to enrich the O-RAN ecosystem. Intel demonstrates SLA assurance demonstration with AI/ML-powered Network Slice Radio Resource Manager (NSRRM) xApp in an O-RAN RIC integrated with an Open, virtualized RAN. This demo shows operators the viability of offering revenue-generating business models with optimal radio resources. Polte and VMware demonstrate how to leverage RAN programmability to deliver precise sub-meter UE positioning. Using cellular as prime technology (as opposed to GPS or Wi-Fi), Polte’s xApp powered by VMware’s Near Real-time RIC offers global location indoors/outdoors, while lowering cost and extending battery life of the IoT asset tracker. Rimedo Labs demonstrates the complete integration of the Traffic Steering xApp into the open-source SD-RAN Near-Real-Time RIC from ONF. The solution highlights the opportunities to control the xApp via the policies through the A1 interface as defined by the O-RAN ALLIANCE, which enables manipulation of the behavior of the corresponding RRM algorithm based on the current strategy coming from the SMO. Newly added Open RAN demonstrations include: ArrayComm demonstrates its 5G Distributed Small Cell in a 5G SA E2E network showing its high performance and stability testing with measured downlink and uplink throughputs. It includes white box O-DU, Fronthaul Gateway, and O-RU. The O-DU is a single box built with NXP LX2160A and LA1201 SoC. ArrayComm demonstrates its 5G Distributed Small Cell on a Marvell platform consisting of a Marvell CNF95O virtualized O-DU card combined with x86/Arm server, Fronthaul Gateway, and O-RU. This platform can be widely used in the capacity coverage improvement scenarios, and also can be easily deployed as distributed RAN or cloud RAN. China Mobile and Lenovo demonstrate a CaaS platform, which followed O-Cloud specs, and pico gNB BBU respectively to form a joint test solution. Hardware construction has been completed; the first call was made in June. 5G performance will be tested in a E2E environment in next stage. Comba showcases Open RAN Multi-band Remote Radio Unit with advanced technology that maintains a low power consumption level and better receiver sensitivity. The small form factor and improved Mean Time Before Failure performance contributes to optimized installation and maintenance cost. These features facilitate fronthaul integration with O-DU partners. Foxconn, Auray and Calnex demonstrate O-RAN S-Plane Performance Testing with Foxconn’s O-RU in Auray OTIC and Security lab with Calnex’s Paragon-neo. O-RAN.WG4.CONF.0 has recommended the S-Plane performance test and functional test to be mandatory for O-RU S-plane testing and therefore mandatory for O-RAN/OTIC O-RU Badging. Intel, Capgemini, AWS and others demonstrate a unified view of end-to-end 5G service orchestration from the network edge to the cloud. Demo highlights agility using service orchestration to support dynamic network slicing for new business and service capabilities - allowing continuous delivery of new services and features. It also demonstrates O-RAN Fronthaul (xRAN) Test as defined by O-RAN ALLIANCE, using a sample application created to execute test scenarios with features of the xRAN library and test external API. IS-Wireless showcases a Multi MNO scenario supported in the form of a Neutral Host. The end-to-end Open RAN network is deployable on any cloud in an automated manner as containers and supports both Open Fronthaul Split 7.2x and 3GPP split 2. LITEON demonstrates FlexFi indoor small cell system based on open interfaces (e.g. Open Fronthaul Interface) enabling a cost effective deployment at large scale. And we also demonstrate an O-RAN based intelligent RAN management and control solution-LiteNetics. In this Proof of Concept, we verified manage gNB via the Radio Intelligent Controller (RIC) with O1 interfaces. LITEON provides 5G products that meet customer needs. MICAS demonstrates two O-RAN Radio Unit solutions, with one sub-6 GHz indoor small cell and one mmW small cell. Both solutions feature O-RAN's open fronthaul interface technology and enable cost-effective large-scale deployment. Pegatron, Auray and Calnex demonstrate O-RAN Fronthaul Latency Testing with Pegatron’s O-DU/O-CU in Auray OTIC and Security lab with Calnex’s Paragon-X in network emulation mode. O-RAN.TIFG.E2E-Test.0 has recommended the xHaul latency to be mandatory for O-RAN E2E testing and therefore mandatory for O-RAN/OTIC Badging. Rohde & Schwarz and VIAVI Solutions jointly demonstrate O-RAN open fronthaul (OFH) conformance and 3GPP pre-conformance validation of a Foxconn O-RU at Auray Lab. The Foxconn O-RU is validated by VIAVI’s automated TM500 O-RU tester with R&S SMW200A vector signal generator, R&S FSVA3000 spectrum analyzer and the R&S VSE signal analysis software. The demonstration highlights a progressive test plan including functional, interoperability, conformance and performance testing, with a single point of control for the entire testbed. Spirent demonstrates its end-to-end Open RAN test solution enabling the ability to accomplish functional, interoperability, performance, and compliance testing with either a real or emulated UE. This demo walks through the architecture of the solution and gives an overview of the interface, reporting, and capabilities. Spirent demonstrates a flexible, scalable, high-performance solution for comprehensively testing the CU for compliance, functionality, performance, and capacity. This demo walks through the architecture and presents an overview of the interface, reporting, and capabilities through running a test in 5G SA mode (NSA is also available). Spirent demonstrates how O-DU is tested with multiple emulated O-RU to verify function, reliability of O-DU & test delay in fronthaul networks. A challenge for O-RAN is long-duration reliability testing. Streamblocks are usually sent once in 5G fronthaul testing. Spirent solution sends continuous traffic to emulate real-world network traffic. Deploying a complete Open vRAN network is a daunting task. VMware and Altiostar demonstrate how to greatly reduce this effort by combining the automation capabilities of Altiostar EMS and VMware Telco Cloud Platform RAN over Intel FlexRAN TM architecture. About O-RAN ALLIANCE The O-RAN ALLIANCE is a world-wide community of more than 300 mobile operators, vendors, and research & academic institutions operating in the Radio Access Network (RAN) industry. As the RAN is an essential part of any mobile network, the O-RAN ALLIANCE’s mission is to re-shape the industry towards more intelligent, open, virtualized and fully interoperable mobile networks. The new O-RAN specifications enable a more competitive and vibrant RAN supplier ecosystem with faster innovation to improve user experience. O-RAN based mobile networks at the same time improve the efficiency of RAN deployments as well as operations by the mobile operators. To achieve this, the O-RAN ALLIANCE publishes new RAN specifications, releases open software for the RAN, and supports its members in integration and testing of their implementations.

Read More

Spotlight

VMware vSphere 6 continues to enhance the performance features and capabilities of the vSphere platform, making it the most robust and highest-performing cloud platform. vSphere 6 supports larger virtual machines and physical hosts to accommodate even the most demanding workloads. It also introduces several new features that reduce latency and increase throughput for network, storage, and compute. This paper first looks at the improvements made to VMware vCenter Server™, then to the core platform, storage, and network.

Resources