Executive Summary
| Summary | |
|---|---|
| Title | VMware Movie Decoder, VMware Workstation, VMware Player, and VMware ACE resolve security issues. |
| Informations | |||
|---|---|---|---|
| Name | VMSA-2009-0012 | First vendor Publication | 2009-09-04 |
| Vendor | VMware | Last vendor Modification | 2009-09-04 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 9.3 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Several security issues resolved with the latest VMnc codec. The VMware movie decoder contains the VMnc media codec that is required to play back movies recorded with VMware Workstation, VMware Player and VMware ACE, in any compatible media player. The movie decoder is installed as part of VMware Workstation, VMware Player and VMware ACE, or can be downloaded as a stand alone package. Several vulnerabilities in the VMnc codec can be exploited to cause heap-based buffer overflows via specially crafted video files containing incorrect framebuffer parameters. For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file on a system that has the vulnerable version of the VMnc codec installed. VMware would like to thank Alin Rad Pop of Secunia Research and Will Dormann of the CERT/CC for reporting these issues and working with us on their remediation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-0199 and CVE-2009-2628 to these issues. To remediate the above issues either install the stand alone movie decoder or update your product using the table below. |
Original Source
| Url : http://www.vmware.com/security/advisories/VMSA-2009-0012.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
| 50 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 3 | |
| Application | 1 | |
| Application | 4 | |
| Application | 4 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-09-16 | Name : VMware Products Multiple Vulnerabilities (Win) sep09 File : nvt/secpod_vmware_prdts_mult_vuln_win_sep09.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 57836 | VMware Workstation Movie Decoder VMnc Codec (vmnc.dll) Crafted AVI File Handl... |
| 57835 | VMware Workstation Movie Decoder VMnc Codec (vmnc.dll) Crafted Video File Han... |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2014-11-26 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2009-0012.nasl - Type : ACT_GATHER_INFO |
| 2009-09-09 | Name : The remote host contains an application that is affected by multiple heap ove... File : vmware_vmnc_codec_653.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-11-27 13:28:42 |
|
| 2014-02-17 12:07:13 |
|
| 2013-12-14 21:19:31 |
|
