Executive Summary

Summary
Title VMware hosted products and ESX patches resolve multiple security issues
Informations
Name VMSA-2010-0018 First vendor Publication 2010-12-02
Vendor VMware Last vendor Modification 2010-12-02
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

a. VMware Workstation, Player and Fusion vmware-mount race condition

The way temporary files are handled by the mounting process could result in a race condition. This issue could allow a local user on the host to elevate their privileges.

VMware Workstation and Player running on Microsoft Windows are not affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4295 to this issue.

VMware would like to thank Dan Rosenberg for reporting this issue.

b. VMware Workstation, Player and Fusion vmware-mount privilege escalation

vmware-mount which is a suid binary has a flaw in the way libraries are loaded. This issue could allow local users on the host to execute arbitrary shared object files with root privileges.

VMware Workstation and Player running on Microsoft Windows are not affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4296 to this issue.

VMware would like to thank Martin Carpenter for reporting this issue.

c. OS Command Injection in VMware Tools update

A vulnerability in the input validation of VMware Tools update allows for injection of commands. The issue could allow a user on the host to execute commands on the guest operating system with root privileges.

The issue can only be exploited if VMware Tools is not fully up-to-date. Windows-based virtual machines are not affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4297 to this issue.

VMware would like to thank Nahuel Grisolia of Bonsai Information Security, http://www.bonsai-sec.com, for reporting this issue.

d. VMware VMnc Codec frame decompression remote code execution

The VMware movie decoder contains the VMnc media codec that is required to play back movies recorded with VMware Workstation, VMware Player and VMware ACE, in any compatible media player. The movie decoder is installed as part of VMware Workstation, VMware Player and VMware ACE, or can be downloaded as a stand alone package.

A function in the decoder frame decompression routine implicitly trusts a size value. An attacker can utilize this to miscalculate a destination pointer, leading to the corruption of a heap buffer, and could allow for execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec.

For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file on a system that has the vulnerable version of the VMnc codec installed.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4294 to this issue.

VMware would like to thank Aaron Portnoy and Logan Brown of TippingPoint DVLabs for reporting this issue.

Original Source

Url : http://www.vmware.com/security/advisories/VMSA-2010-0018.html

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-362 Race Condition
33 % CWE-94 Failure to Control Generation of Code ('Code Injection')
33 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3
Application 3
Application 12
Application 6
Application 11
Application 3
Application 11

ExploitDB Exploits

id Description
2010-12-09 VMware Tools update OS Command Injection

OpenVAS Exploits

Date Description
2012-03-16 Name : VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple securi...
File : nvt/gb_VMSA-2010-0018.nasl
2010-12-13 Name : VMware Products Memory Corruption and Buffer Overflow Vulnerability (Win)
File : nvt/gb_vmware_prdts_mem_corruption_n_bof_vuln_win.nasl
2010-12-13 Name : VMware Products Multiple Local Privilege Escalation Vulnerabilities (Linux)
File : nvt/gb_vmware_prdts_mult_loc_prev_escl_vuln_lin.nasl
2010-12-13 Name : VMware Products Tools Local Privilege Escalation Vulnerability (Linux)
File : nvt/gb_vmware_prdts_tools_loc_prev_escl_vuln_lin.nasl
2010-12-13 Name : VMware Products Tools Local Privilege Escalation Vulnerability (Windows)
File : nvt/gb_vmware_prdts_tools_loc_prev_escl_vuln_win.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
69596 VMware Multiple Products VMnc Decoder Frame Decompression Memory Corruption

A memory corruption flaw exists in VMWare Movie Decoder, Workstation, and Player. The decoder frame decompression of the VMnc codec fails to sanitize user-supplied input resulting in heap memory corruption. With a specially crafted file or page, a context-dependent attacker can execute arbitrary code.
69590 VMware Tools Update Guest System Unspecified Arbitrary Command Injection

VMware Tools update contains an input validation flaw. This may allow a local attacker to execute commands on the guest operating system with root privileges.
69585 VMware Multiple Products vmware-mount Mounting Process Race Condition Privile...

VMware Workstation, Player, and Fusion contain a race condition flaw within the 'vmware-mount' utility when handling temporary files during the mounting process that may allow an attacker to gain access to unauthorized privileges. This may be exploited by a local attacker to gain elevated privileges and create files or directories.
69584 VMware Multiple Products vmware-mount Library Loading Arbitrary Code Execution

VMware Workstation, Player, and Fusion contain a flaw related to the 'vmware-mount' utility when loading libraries. This may allow a local attacker to execute arbitrary code with root privileges.

Information Assurance Vulnerability Management (IAVM)

Date Description
2010-12-09 IAVM : 2010-A-0168 - Multiple Vulnerabilities in VMware Products
Severity : Category II - VMSKEY : V0025835

Snort® IPS/IDS

Date Description
2016-04-14 VmWare Tools command injection attempt
RuleID : 38243 - Revision : 2 - Type : SERVER-WEBAPP
2016-04-14 VmWare Tools command injection attempt
RuleID : 38242 - Revision : 2 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2016-03-08 Name : The remote VMware ESX / ESXi host is missing a security-related patch.
File : vmware_VMSA-2010-0018_remote.nasl - Type : ACT_GATHER_INFO
2010-12-08 Name : The remote host has an application that is affected by a security issue.
File : macosx_fusion_2_0_8.nasl - Type : ACT_GATHER_INFO
2010-12-08 Name : The remote host has an application that is affected by three security issues.
File : macosx_fusion_3_1_2.nasl - Type : ACT_GATHER_INFO
2010-12-07 Name : The remote host has a virtualization application affected by multiple vulnera...
File : vmware_multiple_vmsa_2010_0018.nasl - Type : ACT_GATHER_INFO
2010-12-06 Name : The remote VMware ESX host is missing a security-related patch.
File : vmware_VMSA-2010-0018.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2016-03-09 13:25:54
  • Multiple Updates
2014-02-17 12:07:18
  • Multiple Updates
2013-12-14 21:19:32
  • Multiple Updates
2013-11-11 12:41:39
  • Multiple Updates