Executive Summary
Summary | |
---|---|
Title | VMware hosted products, vCenter Server and ESX patches resolve multiple security issues |
Informations | |||
---|---|---|---|
Name | VMSA-2010-0007 | First vendor Publication | 2010-04-09 |
Vendor | VMware | Last vendor Modification | 2010-04-09 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
a. Windows-based VMware Tools Unsafe Library Loading vulnerability A vulnerability in the way VMware libraries are referenced allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems. In order for an attacker to exploit the vulnerability, the attacker would need to lure the user that is logged on a Windows Guest Operating System to click on the attacker's file on a network share. This file could be in any file format. The attacker will need to have the ability to host their malicious files on a network share. VMware would like to thank Jure Skofic and Mitja Kolsek of ACROS Security (http://www.acrossecurity.com) for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1141 to this issue. Steps needed to remediate this vulnerability: Guest systems on VMware Workstation, Player, ACE, Server, Fusion - Install the remediated version of Workstation, Player, ACE, Server and Fusion. - Upgrade tools in the virtual machine (virtual machine users will be prompted to upgrade). Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5 - Install the relevant patches (see below for patch identifiers) - Manually upgrade tools in the virtual machine (virtual machine users will not be prompted to upgrade). Note the VI Client will not show the VMware tools is out of date in the summary tab. Please see http://tinyurl.com/27mpjo page 80 for details. b. Windows-based VMware Tools Arbitrary Code Execution vulnerability A vulnerability in the way VMware executables are loaded allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems. In order for an attacker to exploit the vulnerability, the attacker would need to be able to plant their malicious executable in a certain location on the Virtual Machine of the user. On most recent versions of Windows (XP, Vista) the attacker would need to have administrator privileges to plant the malicious executable in the right location. Steps needed to remediate this vulnerability: See section 3.a. VMware would like to thank Mitja Kolsek of ACROS Security (http://www.acrossecurity.com) for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1142 to this issue. Refer to the previous table in section 3.a for what action remediates the vulnerability (column 4) if a solution is available. See above for remediation details. c. Windows-based VMware Workstation and Player host privilege escalation A vulnerability in the USB service allows for a privilege escalation. A local attacker on the host of a Windows-based Operating System where VMware Workstation or VMware Player is installed could plant a malicious executable on the host and elevate their privileges. In order for an attacker to exploit the vulnerability, the attacker would need to be able to plant their malicious executable in a certain location on the host machine. On most recent versions of Windows (XP, Vista) the attacker would need to have administrator privileges to plant the malicious executable in the right location. VMware would like to thank Thierry Zoller for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1140 to this issue. c. Windows-based VMware Workstation and Player host privilege escalation A vulnerability in the USB service allows for a privilege escalation. A local attacker on the host of a Windows-based Operating System where VMware Workstation or VMware Player is installed could plant a malicious executable on the host and elevate their privileges. In order for an attacker to exploit the vulnerability, the attacker would need to be able to plant their malicious executable in a certain location on the host machine. On most recent versions of Windows (XP, Vista) the attacker would need to have administrator privileges to plant the malicious executable in the right location. VMware would like to thank Thierry Zoller for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1140 to this issue. d. Third party library update for libpng to version 1.2.37 The libpng libraries through 1.2.35 contain an uninitialized- memory-read bug that may have security implications. Specifically, 1-bit (2-color) interlaced images whose widths are not divisible by 8 may result in several uninitialized bits at the end of certain rows in certain interlace passes being returned to the user. An application that failed to mask these out-of-bounds pixels might display or process them, albeit presumably with benign results in most cases. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2042 to this issue. e. VMware VMnc Codec heap overflow vulnerabilities The VMware movie decoder contains the VMnc media codec that is required to play back movies recorded with VMware Workstation, VMware Player and VMware ACE, in any compatible media player. The movie decoder is installed as part of VMware Workstation, VMware Player and VMware ACE, or can be downloaded as a stand alone package. Vulnerabilities in the decoder allow for execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec. For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file on a system that has the vulnerable version of the VMnc codec installed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-1564 and CVE-2009-1565 to these issues. VMware would like to thank iDefense, Sebastien Renaud of VUPEN Vulnerability Research Team (http://www.vupen.com) and Alin Rad Pop of Secunia Research for reporting these issues to us. To remediate the above issues either install the stand alone movie decoder or update your product using the table below. g. Windows-based VMware authd remote denial of service A vulnerability in vmware-authd could cause a denial of service condition on Windows-based hosts. The denial of service is limited to a crash of authd. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3707 to this issue. h. Potential information leak via hosted networking stack A vulnerability in the virtual networking stack of VMware hosted products could allow host information disclosure. A guest operating system could send memory from the host vmware-vmx process to the virtual network adapter and potentially to the host's physical Ethernet wire. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2010-1138 to this issue. VMware would like to thank Johann MacDonagh for reporting this issue to us. i. Linux-based vmrun format string vulnerability A format string vulnerability in vmrun could allow arbitrary code execution. If a vmrun command is issued and processes are listed, code could be executed in the context of the user listing the processes. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2010-1139 to this issue. VMware would like to thank Thomas Toth-Steiner for reporting this issue to us. |
Original Source
Url : http://www.vmware.com/security/advisories/VMSA-2010-0007.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
36 % | CWE-134 | Uncontrolled Format String (CWE/SANS Top 25) |
27 % | CWE-264 | Permissions, Privileges, and Access Controls |
18 % | CWE-200 | Information Exposure |
18 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:7020 | |||
Oval ID: | oval:org.mitre.oval:def:7020 | ||
Title: | Windows-based VMware Tools Unsafe Library Loading vulnerability | ||
Description: | VMware Tools in VMware Workstation 6.5.x before 6.5.4 build 246459; VMware Player 2.5.x before 2.5.4 build 246459; VMware ACE 2.5.x before 2.5.4 build 246459; VMware Server 2.x before 2.0.2 build 203138; VMware Fusion 2.x before 2.0.6 build 246742; VMware ESXi 3.5 and 4.0; and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0 does not properly access libraries, which allows user-assisted remote attackers to execute arbitrary code by tricking a Windows guest OS user into clicking on a file that is stored on a network share. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-1141 | Version: | 5 |
Platform(s): | VMWare ESX Server 3 VMWare ESX Server 3.5 VMWare ESX Server 4.0 | Product(s): | |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2009-10-07 | VMware Player and Workstation <= 6.5.3 'vmware-authd' Remote Denial of Ser... |
2010-04-12 | VMware Remote Console e.x.p build-158248 - format string vulnerability |
OpenVAS Exploits
Date | Description |
---|---|
2012-10-03 | Name : Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-w... File : nvt/glsa_201209_25.nasl |
2012-04-16 | Name : VMSA-2010-0007: VMware hosted products, vCenter Server and ESX patches resolv... File : nvt/gb_VMSA-2010-0007.nasl |
2011-08-09 | Name : CentOS Update for libpng CESA-2010:0534 centos5 i386 File : nvt/gb_CESA-2010_0534_libpng_centos5_i386.nasl |
2010-08-20 | Name : CentOS Update for libpng10 CESA-2010:0534 centos3 i386 File : nvt/gb_CESA-2010_0534_libpng10_centos3_i386.nasl |
2010-07-16 | Name : RedHat Update for libpng RHSA-2010:0534-01 File : nvt/gb_RHSA-2010_0534-01_libpng.nasl |
2010-05-12 | Name : Mac OS X 10.6.3 Update / Mac OS X Security Update 2010-002 File : nvt/macosx_upd_10_6_3_secupd_2010-002.nasl |
2010-04-29 | Name : VMware Authorization Service Denial of Service Vulnerability (Win) -Apr10 File : nvt/secpod_vmware_prdts_dos_vuln_win_apr10.nasl |
2010-04-21 | Name : Debian Security Advisory DSA 2032-1 (libpng) File : nvt/deb_2032_1.nasl |
2010-04-16 | Name : VMware Products Multiple Vulnerabilities (Windows) File : nvt/gb_vmware_prdts_mult_vuln_win01.nasl |
2010-04-16 | Name : VMware Products Tools Remote Code Execution Vulnerabilies (win) File : nvt/gb_vmware_prdts_tools_code_exec_vuln_lin.nasl |
2010-04-16 | Name : VMware Products Tools Remote Code Execution Vulnerabilies (win) File : nvt/gb_vmware_prdts_tools_code_exec_vuln_win.nasl |
2010-04-16 | Name : VMware Products USB Service Local Privilege Escalation Vulnerability (Win) File : nvt/gb_vmware_prdts_usb_service_local_prv_esc_vuln_win.nasl |
2010-04-16 | Name : VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Linux) File : nvt/gb_vmware_prdts_vmx_info_disc_vuln_lin.nasl |
2010-04-16 | Name : VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Win) File : nvt/gb_vmware_prdts_vmx_info_disc_vuln_win.nasl |
2010-03-31 | Name : Fedora Update for libpng FEDORA-2010-4616 File : nvt/gb_fedora_2010_4616_libpng_fc11.nasl |
2010-03-31 | Name : Mandriva Update for libpng MDVSA-2010:063 (libpng) File : nvt/gb_mandriva_MDVSA_2010_063.nasl |
2010-03-22 | Name : Ubuntu Update for libpng vulnerabilities USN-913-1 File : nvt/gb_ubuntu_USN_913_1.nasl |
2010-02-19 | Name : Mandriva Update for totem MDVA-2010:063 (totem) File : nvt/gb_mandriva_MDVA_2010_063.nasl |
2009-10-22 | Name : VMware Authorization Service Denial of Service Vulnerability (Win) File : nvt/gb_vmware_authorization_service_dos_vuln_win.nasl |
2009-10-13 | Name : SLES10: Security update for libpng File : nvt/sles10_libpng1.nasl |
2009-10-11 | Name : SLES11: Security update for libpng File : nvt/sles11_libpng12-00.nasl |
2009-10-10 | Name : SLES9: Security update for libpng File : nvt/sles9p5053577.nasl |
2009-07-29 | Name : SuSE Security Advisory SUSE-SA:2009:037 (dhcp-client) File : nvt/suse_sa_2009_037.nasl |
2009-06-30 | Name : Gentoo Security Advisory GLSA 200906-01 (libpng) File : nvt/glsa_200906_01.nasl |
2009-06-23 | Name : Fedora Core 9 FEDORA-2009-6603 (libpng) File : nvt/fcore_2009_6603.nasl |
2009-06-23 | Name : Fedora Core 10 FEDORA-2009-6531 (libpng) File : nvt/fcore_2009_6531.nasl |
2009-06-23 | Name : Fedora Core 11 FEDORA-2009-6506 (libpng) File : nvt/fcore_2009_6506.nasl |
2009-06-23 | Name : Fedora Core 10 FEDORA-2009-6400 (mingw32-libpng) File : nvt/fcore_2009_6400.nasl |
2009-06-23 | Name : Fedora Core 11 FEDORA-2009-5977 (mingw32-libpng) File : nvt/fcore_2009_5977.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2009-170-01 libpng File : nvt/esoft_slk_ssa_2009_170_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
64127 | VMware Multiple Products vmware-authd.exe Multiple Command \x25\x90 Sequence ... |
63860 | VMWare Multiple Products USB Service Host Privilege Escalation |
63859 | VMWare Tools Unsafe Library Loading Arbitrary Code Execution |
63858 | VMware Tools Malformed Executable Guest Arbitrary Code Execution |
63615 | VMware Workstation vmnc.dll Hextile Encoded AVI Handling Multiple Integer Tru... |
63614 | VMware Workstation vmnc.dll Hextile Encoded AVI Handling Heap-based Overflow |
63607 | VMware Fusion vmware-vmx Process Virtual Networking Stack Memory Disclosure |
63606 | VMware VIX API vmrun Utility Process List Format String Local Privilege Escal... |
63605 | VMware Remote Console (VMrc) Plugin Unspecified Format String |
58728 | VMware Multiple Products Authorization Service vmware-authd.exe Login Request... |
54915 | libpng 1-bit Interlaced Image Handling Memory Disclosure libpng contains a flaw that may lead to an unauthorized information disclosure. Â The issue is triggered when libpng processes 1-bit interlaced images whose width is not divisible by 8, which will disclose uninitialized memory resulting in a loss of confidentiality. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2010-04-15 | IAVM : 2010-A-0066 - Multiple Vulnerabilities in VMware Products Severity : Category I - VMSKEY : V0023997 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | VMWare Remote Console format string code execution attempt RuleID : 27658 - Revision : 3 - Type : BROWSER-PLUGINS |
2014-01-10 | VMWare Remote Console format string code execution attempt RuleID : 27657 - Revision : 3 - Type : BROWSER-PLUGINS |
2014-01-10 | VMWare Remote Console format string code execution attempt RuleID : 27656 - Revision : 4 - Type : BROWSER-PLUGINS |
2014-01-10 | VMWare authorization service user credential parsing DoS attempt RuleID : 20058 - Revision : 4 - Type : SERVER-OTHER |
2014-01-10 | VMWare Remote Console format string code execution attempt RuleID : 18097 - Revision : 14 - Type : BROWSER-PLUGINS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-08 | Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2010-0007_remote.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-08.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0534.nasl - Type : ACT_GATHER_INFO |
2012-10-01 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201209-25.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100714_libpng_on_SL3_x.nasl - Type : ACT_GATHER_INFO |
2011-09-21 | Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2010-0007.nasl - Type : ACT_GATHER_INFO |
2010-07-28 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0534.nasl - Type : ACT_GATHER_INFO |
2010-07-16 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0534.nasl - Type : ACT_GATHER_INFO |
2010-04-15 | Name : The remote host has a virtualization application affected by multiple vulnera... File : vmware_multiple_vmsa_2010_0007.nasl - Type : ACT_GATHER_INFO |
2010-04-12 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2032.nasl - Type : ACT_GATHER_INFO |
2010-03-29 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_10_6_3.nasl - Type : ACT_GATHER_INFO |
2010-03-29 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2010-002.nasl - Type : ACT_GATHER_INFO |
2010-03-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-063.nasl - Type : ACT_GATHER_INFO |
2010-03-17 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-913-1.nasl - Type : ACT_GATHER_INFO |
2009-10-06 | Name : The remote openSUSE host is missing a security update. File : suse_libpng-6324.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12444.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libpng-devel-090624.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_libpng-6326.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_libpng-devel-090624.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_libpng-devel-090624.nasl - Type : ACT_GATHER_INFO |
2009-06-28 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200906-01.nasl - Type : ACT_GATHER_INFO |
2009-06-21 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2009-170-01.nasl - Type : ACT_GATHER_INFO |
2009-06-19 | Name : The remote Fedora host is missing a security update. File : fedora_2009-6603.nasl - Type : ACT_GATHER_INFO |
2009-06-19 | Name : The remote Fedora host is missing a security update. File : fedora_2009-6506.nasl - Type : ACT_GATHER_INFO |
2009-06-19 | Name : The remote Fedora host is missing a security update. File : fedora_2009-6531.nasl - Type : ACT_GATHER_INFO |
2009-06-16 | Name : The remote Fedora host is missing a security update. File : fedora_2009-6400.nasl - Type : ACT_GATHER_INFO |
2009-06-16 | Name : The remote Fedora host is missing a security update. File : fedora_2009-5977.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-03-09 13:25:54 |
|
2014-05-10 17:22:08 |
|
2014-02-17 12:07:15 |
|
2013-12-14 21:19:31 |
|
2013-11-11 12:41:39 |
|