Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title VMware hosted products, vCenter Server and ESX patches resolve multiple security issues
Informations
Name VMSA-2010-0007 First vendor Publication 2010-04-09
Vendor VMware Last vendor Modification 2010-04-09
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

a. Windows-based VMware Tools Unsafe Library Loading vulnerability

A vulnerability in the way VMware libraries are referenced allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems.

In order for an attacker to exploit the vulnerability, the attacker would need to lure the user that is logged on a Windows Guest Operating System to click on the attacker's file on a network share. This file could be in any file format. The attacker will need to have the ability to host their malicious files on a network share.

VMware would like to thank Jure Skofic and Mitja Kolsek of ACROS Security (http://www.acrossecurity.com) for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1141 to this issue.

Steps needed to remediate this vulnerability:

Guest systems on VMware Workstation, Player, ACE, Server, Fusion - Install the remediated version of Workstation, Player, ACE, Server and Fusion. - Upgrade tools in the virtual machine (virtual machine users will be prompted to upgrade).

Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5 - Install the relevant patches (see below for patch identifiers) - Manually upgrade tools in the virtual machine (virtual machine users will not be prompted to upgrade). Note the VI Client will not show the VMware tools is out of date in the summary tab. Please see http://tinyurl.com/27mpjo page 80 for details.

b. Windows-based VMware Tools Arbitrary Code Execution vulnerability

A vulnerability in the way VMware executables are loaded allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems.

In order for an attacker to exploit the vulnerability, the attacker would need to be able to plant their malicious executable in a certain location on the Virtual Machine of the user. On most recent versions of Windows (XP, Vista) the attacker would need to have administrator privileges to plant the malicious executable in the right location.

Steps needed to remediate this vulnerability: See section 3.a.

VMware would like to thank Mitja Kolsek of ACROS Security (http://www.acrossecurity.com) for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1142 to this issue.

Refer to the previous table in section 3.a for what action remediates the vulnerability (column 4) if a solution is available. See above for remediation details.

c. Windows-based VMware Workstation and Player host privilege escalation

A vulnerability in the USB service allows for a privilege escalation. A local attacker on the host of a Windows-based Operating System where VMware Workstation or VMware Player is installed could plant a malicious executable on the host and elevate their privileges.

In order for an attacker to exploit the vulnerability, the attacker would need to be able to plant their malicious executable in a certain location on the host machine. On most recent versions of Windows (XP, Vista) the attacker would need to have administrator privileges to plant the malicious executable in the right location.

VMware would like to thank Thierry Zoller for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1140 to this issue.

c. Windows-based VMware Workstation and Player host privilege escalation

A vulnerability in the USB service allows for a privilege escalation. A local attacker on the host of a Windows-based Operating System where VMware Workstation or VMware Player is installed could plant a malicious executable on the host and elevate their privileges.

In order for an attacker to exploit the vulnerability, the attacker would need to be able to plant their malicious executable in a certain location on the host machine. On most recent versions of Windows (XP, Vista) the attacker would need to have administrator privileges to plant the malicious executable in the right location.

VMware would like to thank Thierry Zoller for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1140 to this issue.

d. Third party library update for libpng to version 1.2.37

The libpng libraries through 1.2.35 contain an uninitialized- memory-read bug that may have security implications. Specifically, 1-bit (2-color) interlaced images whose widths are not divisible by 8 may result in several uninitialized bits at the end of certain rows in certain interlace passes being returned to the user. An application that failed to mask these out-of-bounds pixels might display or process them, albeit presumably with benign results in most cases.

The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2042 to this issue.

e. VMware VMnc Codec heap overflow vulnerabilities

The VMware movie decoder contains the VMnc media codec that is required to play back movies recorded with VMware Workstation, VMware Player and VMware ACE, in any compatible media player. The movie decoder is installed as part of VMware Workstation, VMware Player and VMware ACE, or can be downloaded as a stand alone package.

Vulnerabilities in the decoder allow for execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec.

For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file on a system that has the vulnerable version of the VMnc codec installed.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-1564 and CVE-2009-1565 to these issues.

VMware would like to thank iDefense, Sebastien Renaud of VUPEN Vulnerability Research Team (http://www.vupen.com) and Alin Rad Pop of Secunia Research for reporting these issues to us.

To remediate the above issues either install the stand alone movie decoder or update your product using the table below.

g. Windows-based VMware authd remote denial of service

A vulnerability in vmware-authd could cause a denial of service condition on Windows-based hosts. The denial of service is limited to a crash of authd.

The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3707 to this issue.

h. Potential information leak via hosted networking stack

A vulnerability in the virtual networking stack of VMware hosted products could allow host information disclosure.

A guest operating system could send memory from the host vmware-vmx process to the virtual network adapter and potentially to the host's physical Ethernet wire.

The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2010-1138 to this issue.

VMware would like to thank Johann MacDonagh for reporting this issue to us.

i. Linux-based vmrun format string vulnerability

A format string vulnerability in vmrun could allow arbitrary code execution.

If a vmrun command is issued and processes are listed, code could be executed in the context of the user listing the processes.

The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2010-1139 to this issue.

VMware would like to thank Thomas Toth-Steiner for reporting this issue to us.

Original Source

Url : http://www.vmware.com/security/advisories/VMSA-2010-0007.html

CWE : Common Weakness Enumeration

% Id Name
36 % CWE-134 Uncontrolled Format String (CWE/SANS Top 25)
27 % CWE-264 Permissions, Privileges, and Access Controls
18 % CWE-200 Information Exposure
18 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:7020
 
Oval ID: oval:org.mitre.oval:def:7020
Title: Windows-based VMware Tools Unsafe Library Loading vulnerability
Description: VMware Tools in VMware Workstation 6.5.x before 6.5.4 build 246459; VMware Player 2.5.x before 2.5.4 build 246459; VMware ACE 2.5.x before 2.5.4 build 246459; VMware Server 2.x before 2.0.2 build 203138; VMware Fusion 2.x before 2.0.6 build 246742; VMware ESXi 3.5 and 4.0; and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0 does not properly access libraries, which allows user-assisted remote attackers to execute arbitrary code by tricking a Windows guest OS user into clicking on a file that is stored on a network share.
Family: unix Class: vulnerability
Reference(s): CVE-2010-1141
 Version: 5
Platform(s): VMWare ESX Server 3
VMWare ESX Server 3.5
VMWare ESX Server 4.0
 Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 466
Application 25
Application 4
Application 2
Application 8
Application 1
Application 24
Application 19
Application 2
Application 55

ExploitDB Exploits

id Description
2009-10-07 VMware Player and Workstation <= 6.5.3 'vmware-authd' Remote Denial of Ser...
2010-04-12 VMware Remote Console e.x.p build-158248 - format string vulnerability

OpenVAS Exploits

Date Description
2012-10-03 Name : Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-w...
File : nvt/glsa_201209_25.nasl
2012-04-16 Name : VMSA-2010-0007: VMware hosted products, vCenter Server and ESX patches resolv...
File : nvt/gb_VMSA-2010-0007.nasl
2011-08-09 Name : CentOS Update for libpng CESA-2010:0534 centos5 i386
File : nvt/gb_CESA-2010_0534_libpng_centos5_i386.nasl
2010-08-20 Name : CentOS Update for libpng10 CESA-2010:0534 centos3 i386
File : nvt/gb_CESA-2010_0534_libpng10_centos3_i386.nasl
2010-07-16 Name : RedHat Update for libpng RHSA-2010:0534-01
File : nvt/gb_RHSA-2010_0534-01_libpng.nasl
2010-05-12 Name : Mac OS X 10.6.3 Update / Mac OS X Security Update 2010-002
File : nvt/macosx_upd_10_6_3_secupd_2010-002.nasl
2010-04-29 Name : VMware Authorization Service Denial of Service Vulnerability (Win) -Apr10
File : nvt/secpod_vmware_prdts_dos_vuln_win_apr10.nasl
2010-04-21 Name : Debian Security Advisory DSA 2032-1 (libpng)
File : nvt/deb_2032_1.nasl
2010-04-16 Name : VMware Products Multiple Vulnerabilities (Windows)
File : nvt/gb_vmware_prdts_mult_vuln_win01.nasl
2010-04-16 Name : VMware Products Tools Remote Code Execution Vulnerabilies (win)
File : nvt/gb_vmware_prdts_tools_code_exec_vuln_lin.nasl
2010-04-16 Name : VMware Products Tools Remote Code Execution Vulnerabilies (win)
File : nvt/gb_vmware_prdts_tools_code_exec_vuln_win.nasl
2010-04-16 Name : VMware Products USB Service Local Privilege Escalation Vulnerability (Win)
File : nvt/gb_vmware_prdts_usb_service_local_prv_esc_vuln_win.nasl
2010-04-16 Name : VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Linux)
File : nvt/gb_vmware_prdts_vmx_info_disc_vuln_lin.nasl
2010-04-16 Name : VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Win)
File : nvt/gb_vmware_prdts_vmx_info_disc_vuln_win.nasl
2010-03-31 Name : Fedora Update for libpng FEDORA-2010-4616
File : nvt/gb_fedora_2010_4616_libpng_fc11.nasl
2010-03-31 Name : Mandriva Update for libpng MDVSA-2010:063 (libpng)
File : nvt/gb_mandriva_MDVSA_2010_063.nasl
2010-03-22 Name : Ubuntu Update for libpng vulnerabilities USN-913-1
File : nvt/gb_ubuntu_USN_913_1.nasl
2010-02-19 Name : Mandriva Update for totem MDVA-2010:063 (totem)
File : nvt/gb_mandriva_MDVA_2010_063.nasl
2009-10-22 Name : VMware Authorization Service Denial of Service Vulnerability (Win)
File : nvt/gb_vmware_authorization_service_dos_vuln_win.nasl
2009-10-13 Name : SLES10: Security update for libpng
File : nvt/sles10_libpng1.nasl
2009-10-11 Name : SLES11: Security update for libpng
File : nvt/sles11_libpng12-00.nasl
2009-10-10 Name : SLES9: Security update for libpng
File : nvt/sles9p5053577.nasl
2009-07-29 Name : SuSE Security Advisory SUSE-SA:2009:037 (dhcp-client)
File : nvt/suse_sa_2009_037.nasl
2009-06-30 Name : Gentoo Security Advisory GLSA 200906-01 (libpng)
File : nvt/glsa_200906_01.nasl
2009-06-23 Name : Fedora Core 9 FEDORA-2009-6603 (libpng)
File : nvt/fcore_2009_6603.nasl
2009-06-23 Name : Fedora Core 10 FEDORA-2009-6531 (libpng)
File : nvt/fcore_2009_6531.nasl
2009-06-23 Name : Fedora Core 11 FEDORA-2009-6506 (libpng)
File : nvt/fcore_2009_6506.nasl
2009-06-23 Name : Fedora Core 10 FEDORA-2009-6400 (mingw32-libpng)
File : nvt/fcore_2009_6400.nasl
2009-06-23 Name : Fedora Core 11 FEDORA-2009-5977 (mingw32-libpng)
File : nvt/fcore_2009_5977.nasl
0000-00-00 Name : Slackware Advisory SSA:2009-170-01 libpng
File : nvt/esoft_slk_ssa_2009_170_01.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
64127 VMware Multiple Products vmware-authd.exe Multiple Command \x25\x90 Sequence ...
63860 VMWare Multiple Products USB Service Host Privilege Escalation
63859 VMWare Tools Unsafe Library Loading Arbitrary Code Execution
63858 VMware Tools Malformed Executable Guest Arbitrary Code Execution
63615 VMware Workstation vmnc.dll Hextile Encoded AVI Handling Multiple Integer Tru...
63614 VMware Workstation vmnc.dll Hextile Encoded AVI Handling Heap-based Overflow
63607 VMware Fusion vmware-vmx Process Virtual Networking Stack Memory Disclosure
63606 VMware VIX API vmrun Utility Process List Format String Local Privilege Escal...
63605 VMware Remote Console (VMrc) Plugin Unspecified Format String
58728 VMware Multiple Products Authorization Service vmware-authd.exe Login Request...
54915 libpng 1-bit Interlaced Image Handling Memory Disclosure

libpng contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when libpng processes 1-bit interlaced images whose width is not divisible by 8, which will disclose uninitialized memory resulting in a loss of confidentiality.

Information Assurance Vulnerability Management (IAVM)

Date Description
2010-04-15 IAVM : 2010-A-0066 - Multiple Vulnerabilities in VMware Products
Severity : Category I - VMSKEY : V0023997

Snort® IPS/IDS

Date Description
2014-01-10 VMWare Remote Console format string code execution attempt
RuleID : 27658 - Revision : 3 - Type : BROWSER-PLUGINS
2014-01-10 VMWare Remote Console format string code execution attempt
RuleID : 27657 - Revision : 3 - Type : BROWSER-PLUGINS
2014-01-10 VMWare Remote Console format string code execution attempt
RuleID : 27656 - Revision : 4 - Type : BROWSER-PLUGINS
2014-01-10 VMWare authorization service user credential parsing DoS attempt
RuleID : 20058 - Revision : 4 - Type : SERVER-OTHER
2014-01-10 VMWare Remote Console format string code execution attempt
RuleID : 18097 - Revision : 14 - Type : BROWSER-PLUGINS

Nessus® Vulnerability Scanner

Date Description
2016-03-08 Name : The remote VMware ESX host is missing a security-related patch.
File : vmware_VMSA-2010-0007_remote.nasl - Type : ACT_GATHER_INFO
2014-12-15 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201412-08.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0534.nasl - Type : ACT_GATHER_INFO
2012-10-01 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201209-25.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100714_libpng_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2011-09-21 Name : The remote VMware ESX host is missing a security-related patch.
File : vmware_VMSA-2010-0007.nasl - Type : ACT_GATHER_INFO
2010-07-28 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0534.nasl - Type : ACT_GATHER_INFO
2010-07-16 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0534.nasl - Type : ACT_GATHER_INFO
2010-04-15 Name : The remote host has a virtualization application affected by multiple vulnera...
File : vmware_multiple_vmsa_2010_0007.nasl - Type : ACT_GATHER_INFO
2010-04-12 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2032.nasl - Type : ACT_GATHER_INFO
2010-03-29 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_10_6_3.nasl - Type : ACT_GATHER_INFO
2010-03-29 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2010-002.nasl - Type : ACT_GATHER_INFO
2010-03-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2010-063.nasl - Type : ACT_GATHER_INFO
2010-03-17 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-913-1.nasl - Type : ACT_GATHER_INFO
2009-10-06 Name : The remote openSUSE host is missing a security update.
File : suse_libpng-6324.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12444.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libpng-devel-090624.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_libpng-6326.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_libpng-devel-090624.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_libpng-devel-090624.nasl - Type : ACT_GATHER_INFO
2009-06-28 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200906-01.nasl - Type : ACT_GATHER_INFO
2009-06-21 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2009-170-01.nasl - Type : ACT_GATHER_INFO
2009-06-19 Name : The remote Fedora host is missing a security update.
File : fedora_2009-6603.nasl - Type : ACT_GATHER_INFO
2009-06-19 Name : The remote Fedora host is missing a security update.
File : fedora_2009-6506.nasl - Type : ACT_GATHER_INFO
2009-06-19 Name : The remote Fedora host is missing a security update.
File : fedora_2009-6531.nasl - Type : ACT_GATHER_INFO
2009-06-16 Name : The remote Fedora host is missing a security update.
File : fedora_2009-6400.nasl - Type : ACT_GATHER_INFO
2009-06-16 Name : The remote Fedora host is missing a security update.
File : fedora_2009-5977.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2016-03-09 13:25:54
  • Multiple Updates
2014-05-10 17:22:08
  • Multiple Updates
2014-02-17 12:07:15
  • Multiple Updates
2013-12-14 21:19:31
  • Multiple Updates
2013-11-11 12:41:39
  • Multiple Updates