VMware Tools Local Privilege Escalation Vulnerability (Linux)

2008-09-26T00:00:00

Description

The host is installed with VMWare product(s) that are vulnerable to local privilege escalation vulnerability.

{"id": "OPENVAS:800005", "type": "openvas", "bulletinFamily": "scanner", "title": "VMware Tools Local Privilege Escalation Vulnerability (Linux)", "description": "The host is installed with VMWare product(s) that are vulnerable\n to local privilege escalation vulnerability.", "published": "2008-09-26T00:00:00", "modified": "2017-07-05T00:00:00", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=800005", "reporter": "Copyright (C) 2008 Greenbone Networks GmbH", "references": ["http://www.vmware.com/security/advisories/VMSA-2008-0009.html", "http://secunia.com/advisories/30556", "08-0093"], "cvelist": ["CVE-2007-5671"], "lastseen": "2017-07-20T08:49:49", "viewCount": 6, "enchantments": {"score": {"value": 5.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-5671"]}, {"type": "gentoo", "idList": ["GLSA-201209-25"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201209-25.NASL", "VMWARE_MULTIPLE_VMSA_2008_0009.NASL", "VMWARE_VMSA-2008-0009.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231072459", "OPENVAS:1361412562310800004", "OPENVAS:1361412562310800005", "OPENVAS:72459", "OPENVAS:800004"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:19969", "SECURITYVULNS:VULN:9055"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2007-5671"]}, {"type": "vmware", "idList": ["VMSA-2008-0009", "VMSA-2008-0009.2"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2007-5671"]}, {"type": "gentoo", "idList": ["GLSA-201209-25"]}, {"type": "nessus", "idList": ["VMWARE_VMSA-2008-0009.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:800004"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2007-5671"]}, {"type": "vmware", "idList": ["VMSA-2008-0009.2"]}]}, "exploitation": null, "vulnersScore": 5.4}, "pluginID": "800005", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_tools_local_prv_esc_vuln_lin.nasl 6539 2017-07-05 12:02:14Z cfischer $\n#\n# VMware Tools Local Privilege Escalation Vulnerability (Linux)\n#\n# Authors:\n# Chandan S <schandan@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2008 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could result in guest OS users to modify arbitrary\n memory locations in guest kernel memory and gain privileges.\n\n Issue still exists even if the host has HGFS disabled and has no shared\n folders.\n\n Impact Level : System\";\n\ntag_solution = \"Upgrade VMware Product(s) to below version,\n VMware Player 1.0.6 build 80404 or later\n www.vmware.com/download/player/\n\n VMware Server 1.0.5 build 80187 or later\n www.vmware.com/download/server/\n\n VMware Workstation 5.5.6 build 80404 or later\n www.vmware.com/download/ws/\";\n\ntag_affected = \"VMware Player 1.x - before 1.0.6 build 80404 on Linux\n VMware Server 1.x - before 1.0.5 build 80187 on Linux\n VMware Workstation 5.x - before 5.5.6 build 80404 on Linux\";\n\ntag_summary = \"The host is installed with VMWare product(s) that are vulnerable\n to local privilege escalation vulnerability.\";\n\ntag_insight = \"An input validation error is present in the Windows-based VMware HGFS.sys\n driver. Exploitation of this flaw might result in arbitrary code execution\n on the guest system by an unprivileged guest user. The HGFS.sys driver is\n present in the guest operating system if the VMware Tools package is loaded\n on Windows based Guest OS.\";\n\nif(description)\n{\n script_id(800005);\n script_version(\"$Revision: 6539 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-05 14:02:14 +0200 (Wed, 05 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-26 14:12:58 +0200 (Fri, 26 Sep 2008)\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2007-5671\");\n script_xref(name:\"CB-A\", value:\"08-0093\");\n script_name(\"VMware Tools Local Privilege Escalation Vulnerability (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2008 Greenbone Networks GmbH\");\n script_family(\"Privilege escalation\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"VMware/Linux/Installed\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/30556\");\n script_xref(name : \"URL\" , value : \"http://www.vmware.com/security/advisories/VMSA-2008-0009.html\");\n exit(0);\n}\n\n# VMware Player\nplayerVer = get_kb_item(\"VMware/Player/Linux/Ver\");\nif(playerVer)\n{\n if(ereg(pattern:\"^1\\.0(\\.[0-5])?($|[^.0-9])\", string:playerVer)){\n security_message(0);\n }\n exit(0);\n}\n\n# VMware Server\nserverVer = get_kb_item(\"VMware/Server/Linux/Ver\");\nif(serverVer)\n{\n if(ereg(pattern:\"^1\\.0(\\.[0-4])?($|[^.0-9])\", string:serverVer)){\n security_message(0);\n }\n exit(0);\n}\n\n# VMware Workstation\nwrkstnVer = get_kb_item(\"VMware/Workstation/Linux/Ver\");\nif(wrkstnVer)\n{\n if(ereg(pattern:\"^5\\.([0-4](\\..*)?|5(\\.[0-5])?)($|[^.0-9])\", string:wrkstnVer)){\n security_message(0);\n }\n}\n", "naslFamily": "Privilege escalation", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"openvas": [{"lastseen": "2019-05-29T18:40:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5671"], "description": "The host is installed with VMWare product(s) that are vulnerable\n to local privilege escalation vulnerability.", "modified": "2018-12-03T00:00:00", "published": "2008-09-26T00:00:00", "id": "OPENVAS:1361412562310800005", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800005", "type": "openvas", "title": "VMware Tools Local Privilege Escalation Vulnerability (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_tools_local_prv_esc_vuln_lin.nasl 12623 2018-12-03 13:11:38Z cfischer $\n#\n# VMware Tools Local Privilege Escalation Vulnerability (Linux)\n#\n# Authors:\n# Chandan S <schandan@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2008 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800005\");\n script_version(\"$Revision: 12623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-03 14:11:38 +0100 (Mon, 03 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-26 14:12:58 +0200 (Fri, 26 Sep 2008)\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2007-5671\");\n script_xref(name:\"CB-A\", value:\"08-0093\");\n script_name(\"VMware Tools Local Privilege Escalation Vulnerability (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2008 Greenbone Networks GmbH\");\n script_family(\"Privilege escalation\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"VMware/Linux/Installed\");\n\n script_tag(name:\"insight\", value:\"An input validation error is present in the Windows-based VMware HGFS.sys\n driver. Exploitation of this flaw might result in arbitrary code execution\n on the guest system by an unprivileged guest user. The HGFS.sys driver is\n present in the guest operating system if the VMware Tools package is loaded on Windows based Guest OS.\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMWare product(s) that are vulnerable\n to local privilege escalation vulnerability.\");\n\n script_tag(name:\"affected\", value:\"VMware Player 1.x - before 1.0.6 build 80404 on Linux\n\n VMware Server 1.x - before 1.0.5 build 80187 on Linux\n\n VMware Workstation 5.x - before 5.5.6 build 80404 on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade VMware Product(s) to below version,\n\n VMware Player 1.0.6 build 80404 or later\n\n VMware Server 1.0.5 build 80187 or later\n\n VMware Workstation 5.5.6 build 80404 or later.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could result in guest OS users to modify arbitrary\n memory locations in guest kernel memory and gain privileges.\n\n Issue still exists even if the host has HGFS disabled and has no shared folders.\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/30556\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2008-0009.html\");\n\n exit(0);\n}\n\nplayerVer = get_kb_item(\"VMware/Player/Linux/Ver\");\nif(playerVer)\n{\n if(ereg(pattern:\"^1\\.0(\\.[0-5])?($|[^.0-9])\", string:playerVer)){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nserverVer = get_kb_item(\"VMware/Server/Linux/Ver\");\nif(serverVer)\n{\n if(ereg(pattern:\"^1\\.0(\\.[0-4])?($|[^.0-9])\", string:serverVer)){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nwrkstnVer = get_kb_item(\"VMware/Workstation/Linux/Ver\");\nif(wrkstnVer)\n{\n if(ereg(pattern:\"^5\\.([0-4](\\..*)?|5(\\.[0-5])?)($|[^.0-9])\", string:wrkstnVer)){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:40:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5671"], "description": "The host is installed with VMWare product(s) that are vulnerable\n to local privilege escalation vulnerability.", "modified": "2018-11-30T00:00:00", "published": "2008-09-26T00:00:00", "id": "OPENVAS:1361412562310800004", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800004", "type": "openvas", "title": "VMware Tools Local Privilege Escalation Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_tools_local_prv_esc_vuln_win.nasl 12604 2018-11-30 15:07:33Z cfischer $\n#\n# VMware Tools Local Privilege Escalation Vulnerability (Windows)\n#\n# Authors:\n# Chandan S <schandan@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2008 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800004\");\n script_version(\"$Revision: 12604 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-30 16:07:33 +0100 (Fri, 30 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-26 14:12:58 +0200 (Fri, 26 Sep 2008)\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2007-5671\");\n script_xref(name:\"CB-A\", value:\"08-0093\");\n script_name(\"VMware Tools Local Privilege Escalation Vulnerability (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2008 Greenbone Networks GmbH\");\n script_family(\"Privilege escalation\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"VMware/Win/Installed\");\n\n script_tag(name:\"insight\", value:\"An input validation error is present in the Windows-based VMware HGFS.sys\n driver. Exploitation of this flaw might result in arbitrary code execution\n on the guest system by an unprivileged guest user. The HGFS.sys driver is\n present in the guest operating system if the VMware Tools package is loaded\n on Windows based Guest OS.\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMWare product(s) that are vulnerable\n to local privilege escalation vulnerability.\");\n\n script_tag(name:\"affected\", value:\"VMware ACE 1.x - 1.0.5 build 79846 on Windows\n\n VMware Player 1.x - before 1.0.6 build 80404 on Windows\n\n VMware Server 1.x - before 1.0.5 build 80187 on Windows\n\n VMware Workstation 5.x - before 5.5.6 build 80404 on Windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade VMware Product(s) to below version,\n\n VMware ACE 1.0.5 build 79846 or later\n\n VMware Player 1.0.6 build 80404 or later\n\n VMware Server 1.0.5 build 80187 or later\n\n VMware Workstation 5.5.6 build 80404 or later.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could result in guest OS users to modify\n arbitrary memory locations in guest kernel memory and gain privileges.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/30556\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2008-0009.html\");\n\n exit(0);\n}\n\nif(!get_kb_item(\"VMware/Win/Installed\")){\n exit(0);\n}\n\nvmaceVer = get_kb_item(\"VMware/ACE/Win/Ver\");\nif(!vmaceVer){\n vmaceVer = get_kb_item(\"VMware/ACE\\Dormant/Win/Ver\");\n}\n\nif(vmaceVer)\n{\n if(ereg(pattern:\"^1\\.0(\\.[0-4])?$\", string:vmaceVer)){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nvmplayerVer = get_kb_item(\"VMware/Player/Win/Ver\");\nif(vmplayerVer)\n{\n if(ereg(pattern:\"^1\\.0\\.[0-5]($|\\..*)\", string:vmplayerVer)){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nvmserverVer = get_kb_item(\"VMware/Server/Win/Ver\");\nif(vmserverVer)\n{\n if(ereg(pattern:\"^1\\.0(\\.[0-4])?$\", string:vmserverVer)){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nvmworkstnVer = get_kb_item(\"VMware/Workstation/Win/Ver\");\nif(vmworkstnVer)\n{\n if(ereg(pattern:\"^5\\.([0-4](\\..*)?|5(\\.[0-5])?)$\", string:vmworkstnVer)){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-02T21:10:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5671"], "description": "The host is installed with VMWare product(s) that are vulnerable\n to local privilege escalation vulnerability.", "modified": "2017-02-20T00:00:00", "published": "2008-09-26T00:00:00", "id": "OPENVAS:800004", "href": "http://plugins.openvas.org/nasl.php?oid=800004", "type": "openvas", "title": "VMware Tools Local Privilege Escalation Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_tools_local_prv_esc_vuln_win.nasl 5375 2017-02-20 16:39:23Z cfi $\n#\n# VMware Tools Local Privilege Escalation Vulnerability (Windows)\n#\n# Authors:\n# Chandan S <schandan@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2008 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could result in guest OS users to modify\n arbitrary memory locations in guest kernel memory and gain privileges.\n\n Impact Level : System\";\n\ntag_solution = \"Upgrade VMware Product(s) to below version,\n VMware ACE 1.0.5 build 79846 or later\n www.vmware.com/download/ace/\n\n VMware Player 1.0.6 build 80404 or later\n www.vmware.com/download/player/\n\n VMware Server 1.0.5 build 80187 or later\n www.vmware.com/download/server/\n\n VMware Workstation 5.5.6 build 80404 or later\n www.vmware.com/download/ws/\";\n\ntag_affected = \"VMware ACE 1.x - 1.0.5 build 79846 on Windows\n VMware Player 1.x - before 1.0.6 build 80404 on Windows\n VMware Server 1.x - before 1.0.5 build 80187 on Windows\n VMware Workstation 5.x - before 5.5.6 build 80404 on Windows\";\n\ntag_summary = \"The host is installed with VMWare product(s) that are vulnerable\n to local privilege escalation vulnerability.\";\n\ntag_insight = \"An input validation error is present in the Windows-based VMware HGFS.sys\n driver. Exploitation of this flaw might result in arbitrary code execution\n on the guest system by an unprivileged guest user. The HGFS.sys driver is\n present in the guest operating system if the VMware Tools package is loaded\n on Windows based Guest OS.\";\n\nif(description)\n{\n script_id(800004);\n script_version(\"$Revision: 5375 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 17:39:23 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-26 14:12:58 +0200 (Fri, 26 Sep 2008)\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2007-5671\");\n script_xref(name:\"CB-A\", value:\"08-0093\");\n script_name(\"VMware Tools Local Privilege Escalation Vulnerability (Windows)\");\n\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2008 Greenbone Networks GmbH\");\n script_family(\"Privilege escalation\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/30556\");\n script_xref(name : \"URL\" , value : \"http://www.vmware.com/security/advisories/VMSA-2008-0009.html\");\n exit(0);\n}\n\n\nif(!get_kb_item(\"VMware/Win/Installed\")){ # Is VMWare installed?\n exit(0);\n}\n\n# VMware ACE\nvmaceVer = get_kb_item(\"VMware/ACE/Win/Ver\");\nif(!vmaceVer){\n vmaceVer = get_kb_item(\"VMware/ACE\\Dormant/Win/Ver\");\n}\n\nif(vmaceVer)\n{\n if(ereg(pattern:\"^1\\.0(\\.[0-4])?$\", string:vmaceVer)){\n security_message(0);\n }\n exit(0);\n}\n\n# VMware Player\nvmplayerVer = get_kb_item(\"VMware/Player/Win/Ver\");\nif(vmplayerVer)\n{\n if(ereg(pattern:\"^1\\.0\\.[0-5]($|\\..*)\", string:vmplayerVer)){\n security_message(0);\n }\n exit(0);\n}\n\n# VMware Server\nvmserverVer = get_kb_item(\"VMware/Server/Win/Ver\");\nif(vmserverVer)\n{\n if(ereg(pattern:\"^1\\.0(\\.[0-4])?$\", string:vmserverVer)){\n security_message(0);\n }\n exit(0);\n}\n\n# VMware Workstation\nvmworkstnVer = get_kb_item(\"VMware/Workstation/Win/Ver\");\nif(vmworkstnVer)\n{\n if(ereg(pattern:\"^5\\.([0-4](\\..*)?|5(\\.[0-5])?)$\", string:vmworkstnVer)){\n security_message(0);\n }\n}\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:51:01", "description": "The remote host is missing updates announced in\nadvisory GLSA 201209-25.", "cvss3": {}, "published": "2012-10-03T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2008-0967", "CVE-2008-2101", "CVE-2007-5503", "CVE-2008-4915", "CVE-2009-3707", "CVE-2008-2098", "CVE-2008-1361", "CVE-2008-4916", "CVE-2008-1447", "CVE-2008-1392", "CVE-2009-3732", "CVE-2008-1808", "CVE-2010-1137", "CVE-2009-0040", "CVE-2007-5269", "CVE-2010-1139", "CVE-2010-1142", "CVE-2008-1364", "CVE-2009-2267", "CVE-2008-2100", "CVE-2009-0910", "CVE-2010-1138", "CVE-2010-1143", "CVE-2010-1140", "CVE-2009-1244", "CVE-2011-3868", "CVE-2008-1363", "CVE-2007-5671", "CVE-2008-1340", "CVE-2009-3733", "CVE-2008-4917", "CVE-2008-1807", "CVE-2009-0909", "CVE-2009-4811", "CVE-2008-1362", "CVE-2008-1806", "CVE-2010-1141"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:72459", "href": "http://plugins.openvas.org/nasl.php?oid=72459", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities have been found in VMware Player, Server,\nand Workstation, allowing remote and local attackers to conduct several\nattacks, including privilege escalation, remote execution of arbitrary\ncode, and a Denial of Service.\";\ntag_solution = \"Gentoo discontinued support for VMware Player. We recommend that users\nunmerge VMware Player:\n\n # emerge --unmerge 'app-emulation/vmware-player'\n \n\nNOTE: Users could upgrade to > =app-emulation/vmware-player-3.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Workstation. We recommend that\nusers unmerge VMware Workstation:\n\n # emerge --unmerge 'app-emulation/vmware-workstation'\n \n\nNOTE: Users could upgrade to > =app-emulation/vmware-workstation-7.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Server. We recommend that users\n unmerge VMware Server:\n\n # emerge --unmerge 'app-emulation/vmware-server'\n \n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20201209-25\nhttp://bugs.gentoo.org/show_bug.cgi?id=213548\nhttp://bugs.gentoo.org/show_bug.cgi?id=224637\nhttp://bugs.gentoo.org/show_bug.cgi?id=236167\nhttp://bugs.gentoo.org/show_bug.cgi?id=245941\nhttp://bugs.gentoo.org/show_bug.cgi?id=265139\nhttp://bugs.gentoo.org/show_bug.cgi?id=282213\nhttp://bugs.gentoo.org/show_bug.cgi?id=297367\nhttp://bugs.gentoo.org/show_bug.cgi?id=335866\nhttp://bugs.gentoo.org/show_bug.cgi?id=385727\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 201209-25.\";\n\n \n \nif(description)\n{\n script_id(72459);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2007-5269\", \"CVE-2007-5503\", \"CVE-2007-5671\", \"CVE-2008-0967\", \"CVE-2008-1340\", \"CVE-2008-1361\", \"CVE-2008-1362\", \"CVE-2008-1363\", \"CVE-2008-1364\", \"CVE-2008-1392\", \"CVE-2008-1447\", \"CVE-2008-1806\", \"CVE-2008-1807\", \"CVE-2008-1808\", \"CVE-2008-2098\", \"CVE-2008-2100\", \"CVE-2008-2101\", \"CVE-2008-4915\", \"CVE-2008-4916\", \"CVE-2008-4917\", \"CVE-2009-0040\", \"CVE-2009-0909\", \"CVE-2009-0910\", \"CVE-2009-1244\", \"CVE-2009-2267\", \"CVE-2009-3707\", \"CVE-2009-3732\", \"CVE-2009-3733\", \"CVE-2009-4811\", \"CVE-2010-1137\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1140\", \"CVE-2010-1141\", \"CVE-2010-1142\", \"CVE-2010-1143\", \"CVE-2011-3868\");\n script_version(\"$Revision: 6593 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:18:14 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-10-03 11:11:29 -0400 (Wed, 03 Oct 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-player\", unaffected: make_list(), vulnerable: make_list(\"le 2.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-workstation\", unaffected: make_list(), vulnerable: make_list(\"le 6.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-server\", unaffected: make_list(), vulnerable: make_list(\"le 1.0.9.156507\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:03", "description": "The remote host is missing updates announced in\nadvisory GLSA 201209-25.", "cvss3": {}, "published": "2012-10-03T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2008-0967", "CVE-2008-2101", "CVE-2007-5503", "CVE-2008-4915", "CVE-2009-3707", "CVE-2008-2098", "CVE-2008-1361", "CVE-2008-4916", "CVE-2008-1447", "CVE-2008-1392", "CVE-2009-3732", "CVE-2008-1808", "CVE-2010-1137", "CVE-2009-0040", "CVE-2007-5269", "CVE-2010-1139", "CVE-2010-1142", "CVE-2008-1364", "CVE-2009-2267", "CVE-2008-2100", "CVE-2009-0910", "CVE-2010-1138", "CVE-2010-1143", "CVE-2010-1140", "CVE-2009-1244", "CVE-2011-3868", "CVE-2008-1363", "CVE-2007-5671", "CVE-2008-1340", "CVE-2009-3733", "CVE-2008-4917", "CVE-2008-1807", "CVE-2009-0909", "CVE-2009-4811", "CVE-2008-1362", "CVE-2008-1806", "CVE-2010-1141"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:136141256231072459", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231072459", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa_201209_25.nasl 11859 2018-10-12 08:53:01Z cfischer $\n#\n# Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.72459\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2007-5269\", \"CVE-2007-5503\", \"CVE-2007-5671\", \"CVE-2008-0967\", \"CVE-2008-1340\", \"CVE-2008-1361\", \"CVE-2008-1362\", \"CVE-2008-1363\", \"CVE-2008-1364\", \"CVE-2008-1392\", \"CVE-2008-1447\", \"CVE-2008-1806\", \"CVE-2008-1807\", \"CVE-2008-1808\", \"CVE-2008-2098\", \"CVE-2008-2100\", \"CVE-2008-2101\", \"CVE-2008-4915\", \"CVE-2008-4916\", \"CVE-2008-4917\", \"CVE-2009-0040\", \"CVE-2009-0909\", \"CVE-2009-0910\", \"CVE-2009-1244\", \"CVE-2009-2267\", \"CVE-2009-3707\", \"CVE-2009-3732\", \"CVE-2009-3733\", \"CVE-2009-4811\", \"CVE-2010-1137\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1140\", \"CVE-2010-1141\", \"CVE-2010-1142\", \"CVE-2010-1143\", \"CVE-2011-3868\");\n script_version(\"$Revision: 11859 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 10:53:01 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-10-03 11:11:29 -0400 (Wed, 03 Oct 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been found in VMware Player, Server,\nand Workstation, allowing remote and local attackers to conduct several\nattacks, including privilege escalation, remote execution of arbitrary\ncode, and a Denial of Service.\");\n script_tag(name:\"solution\", value:\"Gentoo discontinued support for VMware Player. We recommend that users\nunmerge VMware Player:\n\n # emerge --unmerge 'app-emulation/vmware-player'\n\n\nNOTE: Users could upgrade to > =app-emulation/vmware-player-3.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Workstation. We recommend that\nusers unmerge VMware Workstation:\n\n # emerge --unmerge 'app-emulation/vmware-workstation'\n\n\nNOTE: Users could upgrade to > =app-emulation/vmware-workstation-7.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Server. We recommend that users\n unmerge VMware Server:\n\n # emerge --unmerge 'app-emulation/vmware-server'\");\n\n script_xref(name:\"URL\", value:\"http://www.securityspace.com/smysecure/catid.html?in=GLSA%20201209-25\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=213548\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=224637\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=236167\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=245941\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=265139\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=282213\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=297367\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=335866\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=385727\");\n script_tag(name:\"summary\", value:\"The remote host is missing updates announced in\nadvisory GLSA 201209-25.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-gentoo.inc\");\ninclude(\"revisions-lib.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-player\", unaffected: make_list(), vulnerable: make_list(\"le 2.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-workstation\", unaffected: make_list(), vulnerable: make_list(\"le 6.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-server\", unaffected: make_list(), vulnerable: make_list(\"le 1.0.9.156507\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:21:32", "description": "HGFS.sys in the VMware Tools package in VMware Workstation 5.x before 5.5.6 build 80404, VMware Player before 1.0.6 build 80404, VMware ACE before 1.0.5 build 79846, VMware Server before 1.0.5 build 80187, and VMware ESX 2.5.4 through 3.0.2 does not properly validate arguments in user-mode METHOD_NEITHER IOCTLs to the \\\\.\\hgfs device, which allows guest OS users to modify arbitrary memory locations in guest kernel memory and gain privileges.", "cvss3": {}, "published": "2008-06-05T20:32:00", "type": "cve", "title": "CVE-2007-5671", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-5671"], "modified": "2018-10-30T16:26:00", "cpe": ["cpe:/a:vmware:vmware_workstation:5.5.5", "cpe:/a:vmware:vmware_player:1.0.2", "cpe:/a:vmware:ace:1.0.1", "cpe:/o:vmware:esx:3.0.2", "cpe:/a:vmware:vmware_player:1.0.1", "cpe:/o:vmware:esx:3.0.1", "cpe:/a:vmware:esx_server:2.5.5", "cpe:/a:vmware:server:1.0.3", "cpe:/a:vmware:vmware_player:1.0.5", "cpe:/a:vmware:vmware_workstation:5.5.0", "cpe:/a:vmware:workstation:5.5.4", "cpe:/a:vmware:ace:1.0.0", "cpe:/a:vmware:vmware_server:1.0.4", "cpe:/a:vmware:vmware_player:1.0.0", "cpe:/a:vmware:vmware_workstation:5.5.2", "cpe:/o:vmware:esx:3.0.0", "cpe:/a:vmware:workstation:5.5.3", "cpe:/a:vmware:ace:1.0.3", "cpe:/a:vmware:ace:1.0.4", "cpe:/a:vmware:ace:1.0.2", "cpe:/a:vmware:player:1.0.4", "cpe:/a:vmware:vmware_server:1.0.0", "cpe:/a:vmware:workstation:5.5.1", "cpe:/a:vmware:vmware_server:1.0.2", "cpe:/o:vmware:esx:2.5.4", "cpe:/a:vmware:vmware_server:1.0.1", "cpe:/a:vmware:vmware_player:1.0.3"], "id": "CVE-2007-5671", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5671", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:vmware_workstation:5.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vmware_server:1.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vmware_player:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:ace:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:5.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vmware_player:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esx:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:ace:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vmware_workstation:5.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:5.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vmware_server:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esx:2.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:ace:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:ace:1.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vmware_player:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:5.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:ace:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vmware_server:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esx:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vmware_server:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esx:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:esx_server:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vmware_player:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vmware_workstation:5.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:1.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vmware_player:1.0.5:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2021-11-22T22:00:59", "description": "HGFS.sys in the VMware Tools package in VMware Workstation 5.x before 5.5.6\nbuild 80404, VMware Player before 1.0.6 build 80404, VMware ACE before\n1.0.5 build 79846, VMware Server before 1.0.5 build 80187, and VMware ESX\n2.5.4 through 3.0.2 does not properly validate arguments in user-mode\nMETHOD_NEITHER IOCTLs to the \\\\.\\hgfs device, which allows guest OS users\nto modify arbitrary memory locations in guest kernel memory and gain\nprivileges.", "cvss3": {}, "published": "2008-06-05T00:00:00", "type": "ubuntucve", "title": "CVE-2007-5671", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-5671"], "modified": "2008-06-05T00:00:00", "id": "UB:CVE-2007-5671", "href": "https://ubuntu.com/security/CVE-2007-5671", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-08-19T13:10:09", "description": "A VMware product installed on the remote host is affected by multiple vulnerabilities.\n\n - A local privilege escalation issue in 'HGFS.sys' driver included with the VMware Tools package, could allow an unprivileged guest user to execute arbitrary code on the guest system. It should be noted that installing the new releases of the affected product will not resolve the issue. In order to successfully apply this patch VMware Tools package should be updated on each Windows based guest followed by a reboot of the guest system.\n (CVE-2007-5671)\n\n - Multiple buffer overflow vulnerabilities in VMware VIX API, which is disabled by default, could allow arbitrary code execution on the host system from the guest operating system. (CVE-2008-2100)", "cvss3": {"score": null, "vector": null}, "published": "2008-06-09T00:00:00", "type": "nessus", "title": "VMware Products Multiple Vulnerabilities (VMSA-2008-0009)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-5671", "CVE-2008-2100"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:vmware:ace", "cpe:/a:vmware:vmware_player", "cpe:/a:vmware:vmware_server", "cpe:/a:vmware:vmware_workstation"], "id": "VMWARE_MULTIPLE_VMSA_2008_0009.NASL", "href": "https://www.tenable.com/plugins/nessus/33105", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(33105);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2007-5671\", \"CVE-2008-2100\");\n script_bugtraq_id(29552, 29549);\n script_xref(name:\"VMSA\", value:\"2008-0009\");\n\n script_name(english:\"VMware Products Multiple Vulnerabilities (VMSA-2008-0009)\");\n script_summary(english:\"Checks vulnerable versions of multiple VMware products\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an application that is affected by\nmultiple issues.\");\n script_set_attribute(attribute:\"description\", value:\n\"A VMware product installed on the remote host is affected by multiple\nvulnerabilities.\n\n - A local privilege escalation issue in 'HGFS.sys' driver\n included with the VMware Tools package, could allow an\n unprivileged guest user to execute arbitrary code on the\n guest system. It should be noted that installing the new\n releases of the affected product will not resolve the\n issue. In order to successfully apply this patch VMware\n Tools package should be updated on each Windows based\n guest followed by a reboot of the guest system.\n (CVE-2007-5671)\n\n - Multiple buffer overflow vulnerabilities in VMware VIX\n API, which is disabled by default, could allow arbitrary\n code execution on the host system from the guest\n operating system. (CVE-2008-2100)\");\n # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=712\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?58ed8a38\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2008-0009.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to :\n\n - VMware Workstation 6.0.4/5.5.7 or higher.\n - VMware Player 2.0.4/1.0.6 or higher.\n - VMware Server 1.0.6 or higher.\n - VMware ACE 2.0.4 or higher.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 119);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/06/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:ace\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:vmware:vmware_player\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:vmware:vmware_server\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:vmware:vmware_workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"vmware_workstation_detect.nasl\",\"vmware_server_win_detect.nasl\", \"vmware_player_detect.nasl\",\"vmware_ace_detect.nasl\");\n script_require_ports(\"VMware/Server/Version\", \"VMware/ACE/Version\", \"VMware/Player/Version\", \"VMware/Workstation/Version\", 139, 445);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\n\nport = kb_smb_transport();\n\n# Check for VMware Workstation\n\nversion = get_kb_item(\"VMware/Workstation/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n\n if (( int(v[0]) < 5 ) ||\n ( int(v[0]) == 5 && int(v[1]) < 5 ) ||\n ( int(v[0]) == 5 && int(v[1]) == 5 && int(v[2]) < 7 ) ||\n ( int(v[0]) == 6 && int(v[1]) == 0 && int(v[2]) < 4 )\n )\n {\n if (report_verbosity)\n {\n report = string(\n \"\\n\",\n \"Version \",version,\" of VMware Workstation is installed on the remote host.\",\n \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n else\n \t security_hole(port);\n }\n}\n\n# Check for VMware Server\n\nversion = get_kb_item(\"VMware/Server/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n if ( ( int(v[0]) < 1 ) ||\n ( int(v[0]) == 1 && int(v[1]) == 0 && int(v[2]) < 6 )\n )\n {\n if (report_verbosity)\n {\n report = string(\n \"\\n\",\n \"Version \",version,\" of VMware Server is installed on the remote host.\",\n \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n else\n \tsecurity_hole(port);\n }\n}\n\n# Check for VMware Player\n\nversion = get_kb_item(\"VMware/Player/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n if ( ( int(v[0]) < 1 ) ||\n ( int(v[0]) == 1 && int(v[1]) == 0 && int(v[2]) < 6 ) ||\n ( int(v[0]) == 2 && int(v[1]) == 0 && int(v[2]) < 4 )\n )\n {\n if (report_verbosity)\n {\n report = string(\n \"\\n\",\n \"Version \",version,\" of VMware Player is installed on the remote host.\",\n \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n else\n security_hole(port);\n }\n}\n\n# Check for VMware ACE.\nversion = get_kb_item(\"VMware/ACE/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n if (( int(v[0]) == 2 && int(v[1]) == 0 && int(v[2]) < 4 ))\n {\n if (report_verbosity)\n {\n report = string(\n \"\\n\",\n \"Version \",version,\" of VMware ACE is installed on the remote host.\",\n \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n else\n security_hole(port);\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:07:26", "description": "a. VMware Tools Local Privilege Escalation on Windows-based guest OS\n\n The VMware Tools Package provides support required for shared folders (HGFS) and other features.\n\n An input validation error is present in the Windows-based VMware HGFS.sys driver. Exploitation of this flaw might result in arbitrary code execution on the guest system by an unprivileged guest user. It doesn't matter on what host the Windows guest OS is running, as this is a guest driver vulnerability and not a vulnerability on the host.\n\n The HGFS.sys driver is present in the guest operating system if the VMware Tools package is loaded. Even if the host has HGFS disabled and has no shared folders, Windows-based guests may be affected. This is regardless if a host supports HGFS.\n\n This issue could be mitigated by removing the VMware Tools package from Windows based guests. However this is not recommended as it would impact usability of the product.\n\n NOTE: Installing the new hosted release or ESX patches will not remediate the issue. The VMware Tools packages will need to be updated on each Windows-based guest followed by a reboot of the guest system.\n\n VMware would like to thank iDefense and Stephen Fewer of Harmony Security for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5671 to this issue.\n\nb. Privilege escalation on ESX or Linux based hosted operating systems\n\n This update fixes a security issue related to local exploitation of an untrusted library path vulnerability in vmware-authd. In order to exploit this vulnerability, an attacker must have local access and the ability to execute the set-uid vmware-authd binary on an affected system. Exploitation of this flaw might result in arbitrary code execution on the Linux host system by an unprivileged user.\n\n VMware would like to thank iDefense for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0967 to this issue.\n\nc. Openwsman Invalid Content-Length Vulnerability\n\n Openwsman is a system management platform that implements the Web Services Management protocol (WS-Management). It is installed and running by default. It is used in the VMware Management Service Console and in ESXi.\n\n The openwsman management service on ESX 3.5 and ESXi 3.5 is vulnerable to a privilege escalation vulnerability, which may allow users with non-privileged ESX or Virtual Center accounts to gain root privileges.\n\n To exploit this vulnerability, an attacker would need a local ESX account or a VirtualCenter account with the Host.Cim.CimInteraction permission.\n\n Systems with no local ESX accounts and no VirtualCenter accounts with the Host.Cim.CimInteraction permission are not vulnerable.\n\n This vulnerability cannot be exploited by users without valid login credentials.\n\n Discovery: Alexander Sotirov, VMware Security Research\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2097 to this issue.\n\nd. VMware VIX Application Programming Interface (API) Memory Overflow Vulnerabilities\n\n The VIX API (also known as 'Vix') is an API that lets users write scripts and programs to manipulate virtual machines.\n\n Multiple buffer overflow vulnerabilities are present in the VIX API.\n Exploitation of these vulnerabilities might result in a privilege escalation on the host system. This exploit scenario is relevant for all affected products. On VC, ESX30x, and ESX35, users need to have the VM Interaction Privilege in order to exploit the vulnerability.\n\n Exploitation of these vulnerabilities might also result in code execution on the host system from the guest system or on the service console in ESX Server from the guest operating system. This exploit scenario is relevant for Workstation 6.0.x (version 6.0.3 and below), Player 2.0.x (version 2.0.3 and below), ACE 2.0.x (version 2.0.3 and below), Server 1.0.x (version 1.0.5 and below), and ESX3.5. The parameter 'vix.inGuest.enable' in the VMware configuration file must be set to true to allow for exploitation on these products. Note that the parameter 'vix-inGuest.enable' is set to false by default.\n\n The parameter 'vix.inGuest.enable' is present in the following products :\n\n VMware Workstation 6.0.2 and higher VMware ACE 6.0.2 and higher VMware Server 1.06 and higher VMware Fusion 1.1.2 and higher ESX Server 3.0 and higher ESX Server 3.5 and higher\n\n In previous versions of VMware products where the VIX API was introduced, the VIX API couldn't be disabled.\n\n This vulnerability is present in ESX and the hosted products even if you have not installed the VIX API. To patch your system you will need to update to the new hosted product version or to apply the appropriate ESX patch. It is not necessary to update the VIX API if you have installed the VIX API.\n\n VMware would like to thank Andrew Honig of the Department of Defense for reporting this issue.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2100 to this issue.\n\nII Service Console rpm updates\n\n NOTE: ESXi and hosted products are not affected by any service console security updates\n\n a. Security update for cyrus-sasl\n\n Updated cyrus-sasl package for the ESX Service Console corrects a security issue found in the DIGEST-MD5 authentication mechanism of Cyrus' implementation of Simple Authentication and Security Layer (SASL). As a result of this issue in the authentication mechanism, a remote unauthenticated attacker might be able to cause a denial of service error on the service console.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-1721 to this issue.\n\n b. Security update for tcltk\n\n An input validation flaw was discovered in Tk's GIF image handling. A code-size value read from a GIF image was not properly validated before being used, leading to a buffer overflow. A specially crafted GIF file could use this to cause a crash or, potentially, execute code with the privileges of the application using the Tk graphical toolkit.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0553 to this issue.\n\n A buffer overflow flaw was discovered in Tk's animated GIF image handling.\n An animated GIF containing an initial image smaller than subsequent images could cause a crash or, potentially, execute code with the privileges of the application using the Tk library.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5378 to this issue.\n\n A flaw first discovered in the Tcl regular expression engine used in the PostgreSQL database server, resulted in an infinite loop when processing certain regular expressions.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-4772 to this issue.\n\n c. Security update for unzip\n\n This patch includes a moderate security update to the service console that fixes a flaw in unzip. An attacker could execute malicious code with a user's privileges if the user ran unzip on a file designed to leverage this flaw.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0888 to this issue.\n\n d. Security update for krb5\n\n KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0062 to this issue.\n\n NOTE: ESX doesn't contain the krb5kdc binary and is not vulnerable to this issue.\n\n The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka 'Uninitialized stack values.'\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0063 to this issue.\n\n NOTE: ESX doesn't contain the krb5kdc binary and is not vulnerable to this issue.\n\n Buffer overflow in the RPC library (lib/rpc/rpc_dtablesize.c) used by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.2.2, and probably other versions before 1.3, when running on systems whose unistd.h does not define the FD_SETSIZE macro, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering a large number of open file descriptors.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0948 to this issue.", "cvss3": {"score": null, "vector": null}, "published": "2009-07-27T00:00:00", "type": "nessus", "title": "VMSA-2008-0009 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2006-1721", "CVE-2007-4772", "CVE-2007-5137", "CVE-2007-5378", "CVE-2007-5671", "CVE-2008-0062", "CVE-2008-0063", "CVE-2008-0553", "CVE-2008-0888", "CVE-2008-0948", "CVE-2008-0967", "CVE-2008-2097", "CVE-2008-2100"], "modified": "2021-01-06T00:00:00", "cpe": ["cpe:/o:vmware:esx:2.5.4", "cpe:/o:vmware:esx:2.5.5", "cpe:/o:vmware:esx:3.0.1", "cpe:/o:vmware:esx:3.0.2", "cpe:/o:vmware:esx:3.5", "cpe:/o:vmware:esxi:3.5"], "id": "VMWARE_VMSA-2008-0009.NASL", "href": "https://www.tenable.com/plugins/nessus/40378", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2008-0009. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40378);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-1721\", \"CVE-2007-4772\", \"CVE-2007-5137\", \"CVE-2007-5378\", \"CVE-2007-5671\", \"CVE-2008-0062\", \"CVE-2008-0063\", \"CVE-2008-0553\", \"CVE-2008-0888\", \"CVE-2008-0948\", \"CVE-2008-0967\", \"CVE-2008-2097\", \"CVE-2008-2100\");\n script_bugtraq_id(27163, 27655, 28288, 28302, 28303, 29557);\n script_xref(name:\"VMSA\", value:\"2008-0009\");\n\n script_name(english:\"VMSA-2008-0009 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues\");\n script_summary(english:\"Checks esxupdate output for the patches\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote VMware ESXi / ESX host is missing one or more\nsecurity-related patches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"a. VMware Tools Local Privilege Escalation on Windows-based guest OS\n\n The VMware Tools Package provides support required for shared folders\n (HGFS) and other features.\n\n An input validation error is present in the Windows-based VMware\n HGFS.sys driver. Exploitation of this flaw might result in\n arbitrary code execution on the guest system by an unprivileged\n guest user. It doesn't matter on what host the Windows guest OS\n is running, as this is a guest driver vulnerability and not a\n vulnerability on the host.\n\n The HGFS.sys driver is present in the guest operating system if the\n VMware Tools package is loaded. Even if the host has HGFS disabled\n and has no shared folders, Windows-based guests may be affected. This\n is regardless if a host supports HGFS.\n\n This issue could be mitigated by removing the VMware Tools package\n from Windows based guests. However this is not recommended as it\n would impact usability of the product.\n\n NOTE: Installing the new hosted release or ESX patches will not\n remediate the issue. The VMware Tools packages will need\n to be updated on each Windows-based guest followed by a\n reboot of the guest system.\n\n VMware would like to thank iDefense and Stephen Fewer of Harmony\n Security for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2007-5671 to this issue.\n\nb. Privilege escalation on ESX or Linux based hosted operating systems\n\n This update fixes a security issue related to local exploitation of\n an untrusted library path vulnerability in vmware-authd. In order to\n exploit this vulnerability, an attacker must have local access and\n the ability to execute the set-uid vmware-authd binary on an affected\n system. Exploitation of this flaw might result in arbitrary code\n execution on the Linux host system by an unprivileged user.\n\n VMware would like to thank iDefense for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2008-0967 to this issue.\n\nc. Openwsman Invalid Content-Length Vulnerability\n\n Openwsman is a system management platform that implements the Web\n Services Management protocol (WS-Management). It is installed and\n running by default. It is used in the VMware Management Service\n Console and in ESXi.\n\n The openwsman management service on ESX 3.5 and ESXi 3.5 is vulnerable\n to a privilege escalation vulnerability, which may allow users with\n non-privileged ESX or Virtual Center accounts to gain root privileges.\n\n To exploit this vulnerability, an attacker would need a local ESX\n account or a VirtualCenter account with the Host.Cim.CimInteraction\n permission.\n\n Systems with no local ESX accounts and no VirtualCenter accounts with\n the Host.Cim.CimInteraction permission are not vulnerable.\n\n This vulnerability cannot be exploited by users without valid login\n credentials.\n\n Discovery: Alexander Sotirov, VMware Security Research\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2008-2097 to this issue.\n\nd. VMware VIX Application Programming Interface (API) Memory Overflow\n Vulnerabilities\n\n The VIX API (also known as 'Vix') is an API that lets users write scripts\n and programs to manipulate virtual machines.\n\n Multiple buffer overflow vulnerabilities are present in the VIX API.\n Exploitation of these vulnerabilities might result in a privilege\n escalation on the host system. This exploit scenario is relevant for all\n affected products. On VC, ESX30x, and ESX35, users need to have the VM\n Interaction Privilege in order to exploit the vulnerability.\n\n Exploitation of these vulnerabilities might also result in code execution on\n the host system from the guest system or on the service console in ESX Server\n from the guest operating system. This exploit scenario is relevant for\n Workstation 6.0.x (version 6.0.3 and below), Player 2.0.x (version 2.0.3 and\n below), ACE 2.0.x (version 2.0.3 and below), Server 1.0.x (version 1.0.5 and\n below), and ESX3.5. The parameter 'vix.inGuest.enable' in the VMware\n configuration file must be set to true to allow for exploitation on these\n products. Note that the parameter 'vix-inGuest.enable' is set to false by\n default.\n\n The parameter 'vix.inGuest.enable' is present in the\n following products :\n\n VMware Workstation 6.0.2 and higher\n VMware ACE 6.0.2 and higher\n VMware Server 1.06 and higher\n VMware Fusion 1.1.2 and higher\n ESX Server 3.0 and higher\n ESX Server 3.5 and higher\n\n In previous versions of VMware products where the VIX API was introduced,\n the VIX API couldn't be disabled.\n\n This vulnerability is present in ESX and the hosted products even if you\n have not installed the VIX API. To patch your system you will need to\n update to the new hosted product version or to apply the appropriate ESX\n patch. It is not necessary to update the VIX API if you have installed\n the VIX API.\n\n VMware would like to thank Andrew Honig of the Department of\n Defense for reporting this issue.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2008-2100 to this issue.\n\nII Service Console rpm updates\n\n NOTE: ESXi and hosted products are not affected by any service console\n security updates\n\n a. Security update for cyrus-sasl\n\n Updated cyrus-sasl package for the ESX Service Console corrects a security\n issue found in the DIGEST-MD5 authentication mechanism of Cyrus'\n implementation of Simple Authentication and Security Layer (SASL). As a\n result of this issue in the authentication mechanism, a remote\n unauthenticated attacker might be able to cause a denial of service error\n on the service console.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the name CVE-2006-1721 to this issue.\n\n b. Security update for tcltk\n\n An input validation flaw was discovered in Tk's GIF image handling. A\n code-size value read from a GIF image was not properly validated before\n being used, leading to a buffer overflow. A specially crafted GIF file\n could use this to cause a crash or, potentially, execute code with the\n privileges of the application using the Tk graphical toolkit.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the name CVE-2008-0553 to this issue.\n\n A buffer overflow flaw was discovered in Tk's animated GIF image handling.\n An animated GIF containing an initial image smaller than subsequent images\n could cause a crash or, potentially, execute code with the privileges of\n the application using the Tk library.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the name CVE-2007-5378 to this issue.\n\n A flaw first discovered in the Tcl regular expression engine used in the\n PostgreSQL database server, resulted in an infinite loop when processing\n certain regular expressions.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the name CVE-2007-4772 to this issue.\n\n c. Security update for unzip\n\n This patch includes a moderate security update to the service console that\n fixes a flaw in unzip. An attacker could execute malicious code with a\n user's privileges if the user ran unzip on a file designed to leverage\n this flaw.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\n assigned the name CVE-2008-0888 to this issue.\n\n d. Security update for krb5\n\n KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable\n for some krb4 message types, which allows remote attackers to\n cause a denial of service (crash) and possibly execute arbitrary\n code via crafted messages that trigger a NULL pointer dereference\n or double-free.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2008-0062 to this issue.\n\n NOTE: ESX doesn't contain the krb5kdc binary and is not vulnerable\n to this issue.\n\n The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not\n properly clear the unused portion of a buffer when generating an\n error message, which might allow remote attackers to obtain\n sensitive information, aka 'Uninitialized stack values.'\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2008-0063 to this issue.\n\n NOTE: ESX doesn't contain the krb5kdc binary and is not vulnerable\n to this issue.\n\n Buffer overflow in the RPC library (lib/rpc/rpc_dtablesize.c) used\n by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.2.2, and probably\n other versions before 1.3, when running on systems whose unistd.h\n does not define the FD_SETSIZE macro, allows remote attackers to cause\n a denial of service (crash) and possibly execute arbitrary code by\n triggering a large number of open file descriptors.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2008-0948 to this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2008/000022.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patches.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:2.5.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:2.5.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:3.0.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:3.0.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:3.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:3.5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/06/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/27\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/04/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2008-06-04\");\nflag = 0;\n\n\nif (esx_check(ver:\"ESX 2.5.4\", patch:\"19\")) flag++;\n\nif (esx_check(ver:\"ESX 2.5.5\", patch:\"8\")) flag++;\n\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1004186\")) flag++;\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1004189\")) flag++;\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1004190\")) flag++;\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1004721\")) flag++;\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1004723\")) flag++;\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1004725\")) flag++;\nif (esx_check(ver:\"ESX 3.0.1\", patch:\"ESX-1004728\")) flag++;\n\nif (esx_check(ver:\"ESX 3.0.2\", patch:\"ESX-1004216\")) flag++;\nif (esx_check(ver:\"ESX 3.0.2\", patch:\"ESX-1004219\")) flag++;\nif (esx_check(ver:\"ESX 3.0.2\", patch:\"ESX-1004719\")) flag++;\nif (esx_check(ver:\"ESX 3.0.2\", patch:\"ESX-1004722\")) flag++;\nif (esx_check(ver:\"ESX 3.0.2\", patch:\"ESX-1004724\")) flag++;\nif (esx_check(ver:\"ESX 3.0.2\", patch:\"ESX-1004726\")) flag++;\nif (esx_check(ver:\"ESX 3.0.2\", patch:\"ESX-1004727\")) flag++;\nif (esx_check(ver:\"ESX 3.0.2\", patch:\"ESX-1004821\")) flag++;\n\nif (\n esx_check(\n ver : \"ESX 3.5.0\",\n patch : \"ESX350-200805504-SG\",\n patch_updates : make_list(\"ESX350-Update02\", \"ESX350-Update03\", \"ESX350-Update04\", \"ESX350-Update05\", \"ESX350-Update05a\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 3.5.0\",\n patch : \"ESX350-200805505-SG\",\n patch_updates : make_list(\"ESX350-Update02\", \"ESX350-Update03\", \"ESX350-Update04\", \"ESX350-Update05\", \"ESX350-Update05a\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 3.5.0\",\n patch : \"ESX350-200805506-SG\",\n patch_updates : make_list(\"ESX350-Update02\", \"ESX350-Update03\", \"ESX350-Update04\", \"ESX350-Update05\", \"ESX350-Update05a\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 3.5.0\",\n patch : \"ESX350-200805507-SG\",\n patch_updates : make_list(\"ESX350-201006408-SG\", \"ESX350-201008411-SG\", \"ESX350-Update02\", \"ESX350-Update03\", \"ESX350-Update04\", \"ESX350-Update05\", \"ESX350-Update05a\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 3.5.0\",\n patch : \"ESX350-200805508-SG\",\n patch_updates : make_list(\"ESX350-200911210-UG\", \"ESX350-200912406-BG\", \"ESX350-201006409-BG\", \"ESX350-201105403-BG\", \"ESX350-Update02\", \"ESX350-Update03\", \"ESX350-Update04\", \"ESX350-Update05\", \"ESX350-Update05a\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 3.5.0\",\n patch : \"ESX350-200805515-SG\",\n patch_updates : make_list(\"ESX350-200911201-UG\", \"ESX350-201006401-SG\", \"ESX350-201203401-SG\", \"ESX350-Update02\", \"ESX350-Update03\", \"ESX350-Update04\", \"ESX350-Update05\", \"ESX350-Update05a\")\n )\n) flag++;\n\nif (esx_check(ver:\"ESXi 3.5.0\", patch:\"ESXe350-200805501-I-SG\")) flag++;\nif (esx_check(ver:\"ESXi 3.5.0\", patch:\"ESXe350-200805502-T-SG\")) flag++;\nif (esx_check(ver:\"ESXi 3.5.0\", patch:\"ESXe350-200805503-C-SG\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-24T15:00:51", "description": "The remote host is affected by the vulnerability described in GLSA-201209-25 (VMware Player, Server, Workstation: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in VMware Player, Server, and Workstation. Please review the CVE identifiers referenced below for details.\n Impact :\n\n Local users may be able to gain escalated privileges, cause a Denial of Service, or gain sensitive information.\n A remote attacker could entice a user to open a specially crafted file, possibly resulting in the remote execution of arbitrary code, or a Denial of Service. Remote attackers also may be able to spoof DNS traffic, read arbitrary files, or inject arbitrary web script to the VMware Server Console.\n Furthermore, guest OS users may be able to execute arbitrary code on the host OS, gain escalated privileges on the guest OS, or cause a Denial of Service (crash the host OS).\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 6.8, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"}, "published": "2012-10-01T00:00:00", "type": "nessus", "title": "GLSA-201209-25 : VMware Player, Server, Workstation: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2007-5269", "CVE-2007-5503", "CVE-2007-5671", "CVE-2008-0967", "CVE-2008-1340", "CVE-2008-1361", "CVE-2008-1362", "CVE-2008-1363", "CVE-2008-1364", "CVE-2008-1392", "CVE-2008-1447", "CVE-2008-1806", "CVE-2008-1807", "CVE-2008-1808", "CVE-2008-2098", "CVE-2008-2100", "CVE-2008-2101", "CVE-2008-4915", "CVE-2008-4916", "CVE-2008-4917", "CVE-2009-0040", "CVE-2009-0909", "CVE-2009-0910", "CVE-2009-1244", "CVE-2009-2267", "CVE-2009-3707", "CVE-2009-3732", "CVE-2009-3733", "CVE-2009-4811", "CVE-2010-1137", "CVE-2010-1138", "CVE-2010-1139", "CVE-2010-1140", "CVE-2010-1141", "CVE-2010-1142", "CVE-2010-1143", "CVE-2011-3868"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:vmware-player", "p-cpe:/a:gentoo:linux:vmware-server", "p-cpe:/a:gentoo:linux:vmware-workstation", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201209-25.NASL", "href": "https://www.tenable.com/plugins/nessus/62383", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201209-25.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(62383);\n script_version(\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2007-5269\", \"CVE-2007-5503\", \"CVE-2007-5671\", \"CVE-2008-0967\", \"CVE-2008-1340\", \"CVE-2008-1361\", \"CVE-2008-1362\", \"CVE-2008-1363\", \"CVE-2008-1364\", \"CVE-2008-1392\", \"CVE-2008-1447\", \"CVE-2008-1806\", \"CVE-2008-1807\", \"CVE-2008-1808\", \"CVE-2008-2098\", \"CVE-2008-2100\", \"CVE-2008-2101\", \"CVE-2008-4915\", \"CVE-2008-4916\", \"CVE-2008-4917\", \"CVE-2009-0040\", \"CVE-2009-0909\", \"CVE-2009-0910\", \"CVE-2009-1244\", \"CVE-2009-2267\", \"CVE-2009-3707\", \"CVE-2009-3732\", \"CVE-2009-3733\", \"CVE-2009-4811\", \"CVE-2010-1137\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1140\", \"CVE-2010-1141\", \"CVE-2010-1142\", \"CVE-2010-1143\", \"CVE-2011-3868\");\n script_bugtraq_id(25956, 26650, 28276, 28289, 29444, 29552, 29557, 29637, 29639, 29640, 29641, 30131, 30937, 32168, 32597, 33827, 33990, 34373, 34471, 36630, 36841, 36842, 39104, 39392, 39394, 39395, 39396, 39397, 39407, 39949, 49942);\n script_xref(name:\"GLSA\", value:\"201209-25\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"GLSA-201209-25 : VMware Player, Server, Workstation: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201209-25\n(VMware Player, Server, Workstation: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in VMware Player, Server,\n and Workstation. Please review the CVE identifiers referenced below for\n details.\n \nImpact :\n\n Local users may be able to gain escalated privileges, cause a Denial of\n Service, or gain sensitive information.\n A remote attacker could entice a user to open a specially crafted file,\n possibly resulting in the remote execution of arbitrary code, or a Denial\n of Service. Remote attackers also may be able to spoof DNS traffic, read\n arbitrary files, or inject arbitrary web script to the VMware Server\n Console.\n Furthermore, guest OS users may be able to execute arbitrary code on the\n host OS, gain escalated privileges on the guest OS, or cause a Denial of\n Service (crash the host OS).\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201209-25\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Gentoo discontinued support for VMware Player. We recommend that users\n unmerge VMware Player:\n # emerge --unmerge 'app-emulation/vmware-player'\n NOTE: Users could upgrade to\n “>=app-emulation/vmware-player-3.1.5”, however these packages are\n not currently stable.\n Gentoo discontinued support for VMware Workstation. We recommend that\n users unmerge VMware Workstation:\n # emerge --unmerge 'app-emulation/vmware-workstation'\n NOTE: Users could upgrade to\n “>=app-emulation/vmware-workstation-7.1.5”, however these packages\n are not currently stable.\n Gentoo discontinued support for VMware Server. We recommend that users\n unmerge VMware Server:\n # emerge --unmerge 'app-emulation/vmware-server'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-757\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Vmware Server File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(16, 20, 22, 94, 119, 134, 189, 200, 264, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vmware-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vmware-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vmware-workstation\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/10/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-emulation/vmware-server\", unaffected:make_list(), vulnerable:make_list(\"le 1.0.9.156507\"))) flag++;\nif (qpkg_check(package:\"app-emulation/vmware-workstation\", unaffected:make_list(), vulnerable:make_list(\"le 6.5.5.328052\"))) flag++;\nif (qpkg_check(package:\"app-emulation/vmware-player\", unaffected:make_list(), vulnerable:make_list(\"le 2.5.5.328052\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"VMware Player / Server / Workstation\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2021-06-08T19:15:25", "bulletinFamily": "software", "cvelist": ["CVE-2008-0967", "CVE-2008-2097", "CVE-2007-5671"], "description": "Multiple privilege escalation in guest OS.", "edition": 2, "modified": "2008-06-06T00:00:00", "published": "2008-06-06T00:00:00", "id": "SECURITYVULNS:VULN:9055", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9055", "title": "VMWare multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:26", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA256\r\n\r\n- -------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2008-0009\r\nSynopsis: Updates to VMware Workstation, VMware Player,\r\n VMware ACE, VMware Fusion, VMware Server, VMware\r\n VIX API, VMware ESX, VMware ESXi resolve critical\r\n security issues\r\nIssue date: 2008-06-04\r\nUpdated on: 2008-06-04 (initial release of advisory)\r\nCVE numbers: CVE-2007-5671 CVE-2008-0967 CVE-2008-2097\r\n CVE-2008-2100 CVE-2006-1721 CVE-2008-0553\r\n CVE-2007-5378 CVE-2007-4772 CVE-2008-0888\r\n CVE-2008-0062 CVE-2008-0063 CVE-2008-0948\r\n- -------------------------------------------------------------------\r\n\r\n1. Summary:\r\n\r\n Several critical security vulnerabilities have been addressed\r\n in patches in ESX and in the newest releases of VMware's hosted\r\n product line.\r\n\r\n2. Relevant releases:\r\n\r\n VMware Workstation 6.0.3 and earlier,\r\n VMware Workstation 5.5.6 and earlier,\r\n VMware Player 2.0.3 and earlier,\r\n VMware Player 1.0.6 and earlier,\r\n VMware ACE 2.0.3 and earlier,\r\n VMware ACE 1.0.5 and earlier,\r\n VMware Server 1.0.5 and earlier,\r\n VMware Fusion 1.1.1 and earlier\r\n\r\n VMware ESXi 3.5 without patches ESXe350-200805501-I-SG,\r\n ESXe350-200805502-T-SG,\r\n ESXe350-200805503-C-SG\r\n\r\n VMware ESX 3.5 without patches ESX350-200805515-SG, ESX350-200805508-SG,\r\n ESX350-200805501-BG, ESX350-200805504-SG,\r\n ESX350-200805506-SG, ESX350-200805505-SG,\r\n ESX350-200805507-SG\r\n\r\n VMware ESX 3.0.2 without patches ESX-1004727, ESX-1004821, ESX-1004216,\r\n ESX-1004726, ESX-1004722, ESX-1004724,\r\n ESX-1004719, ESX-1004219\r\n\r\n VMware ESX 3.0.1 without patches ESX-1004186, ESX-1004728, ESX-1004725,\r\n ESX-1004721, ESX-1004723, ESX-1004190,\r\n ESX-1004189\r\n\r\n VMware ESX 2.5.5 without update patch 8\r\n VMware ESX 2.5.4 without update patch 19\r\n\r\nNOTES: Hosted products VMware Workstation 5.x, VMware Player 1.x,\r\n and VMware ACE 1.x will reach end of general support\r\n 2008-11-09. Customers should plan to upgrade to the latest\r\n version of their respective products.\r\n\r\n ESX 3.0.1 is in Extended Support and its end of extended\r\n support (Security and Bug fixes) is 2008-07-31. Users should plan\r\n to upgrade to at least 3.0.2 update 1 and preferably the newest\r\n release available before the end of extended support.\r\n\r\n ESX 2.5.4 is in Extended Support and its end of extended support\r\n (Security and Bug fixes) is 2008-10-08. Users should plan to upgrade\r\n to at least 2.5.5 and preferably the newest release available before\r\n the end of extended support.\r\n\r\n3. Problem description:\r\n\r\n a. VMware Tools Local Privilege Escalation on Windows-based guest OS\r\n\r\n The VMware Tools Package provides support required for shared folders\r\n (HGFS) and other features.\r\n\r\n An input validation error is present in the Windows-based VMware\r\n HGFS.sys driver. Exploitation of this flaw might result in\r\n arbitrary code execution on the guest system by an unprivileged\r\n guest user. It doesn't matter on what host the Windows guest OS\r\n is running, as this is a guest driver vulnerability and not a\r\n vulnerability on the host.\r\n\r\n The HGFS.sys driver is present in the guest operating system if the\r\n VMware Tools package is loaded. Even if the host has HGFS disabled\r\n and has no shared folders, Windows-based guests may be affected. This\r\n is regardless if a host supports HGFS.\r\n\r\n This issue could be mitigated by removing the VMware Tools package\r\n from Windows based guests. However this is not recommended as it\r\n would impact usability of the product.\r\n\r\n NOTE: Installing the new hosted release or ESX patches will not\r\n remediate the issue. The VMware Tools packages will need\r\n to be updated on each Windows-based guest followed by a\r\n reboot of the guest system.\r\n\r\n VMware would like to thank iDefense and Stephen Fewer of Harmony\r\n Security for reporting this issue to us.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2007-5671 to this issue.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============ ======== ======= =================\r\n Workstation 6.x Windows not affected\r\n Workstation 6.x Linux not affected\r\n Workstation 5.x Windows 5.5.6 build 80404 or later\r\n Workstation 5.x Linux 5.5.6 build 80404 or later\r\n\r\n Player 2.x Windows not affected\r\n Player 2.x Linux not affected\r\n Player 1.x Windows 1.0.6 build 80404 or later\r\n Player 1.x Linux 1.0.6 build 80404 or later\r\n\r\n ACE 2.x Windows not affected\r\n ACE 1.x Windows 1.0.5 build 79846 or later\r\n\r\n Server 1.x Windows 1.0.5 build 80187 or later\r\n Server 1.x Linux 1.0.5 build 80187 or later\r\n\r\n Fusion 1.x Mac OS/X not affected\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX 3.5 ESX not affected\r\n ESX 3.0.2 ESX ESX-1004727\r\n ESX 3.0.1 ESX ESX-1004186\r\n ESX 2.5.5 ESX ESX 2.5.5 upgrade patch 5 or later\r\n ESX 2.5.4 ESX ESX 2.5.4 upgrade patch 16 or later\r\n\r\n\r\n b. Privilege escalation on ESX or Linux based hosted operating systems\r\n\r\n This update fixes a security issue related to local exploitation of\r\n an untrusted library path vulnerability in vmware-authd. In order to\r\n exploit this vulnerability, an attacker must have local access and\r\n the ability to execute the set-uid vmware-authd binary on an affected\r\n system. Exploitation of this flaw might result in arbitrary code\r\n execution on the Linux host system by an unprivileged user.\r\n\r\n VMware would like to thank iDefense for reporting this issue to us.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2008-0967 to this issue.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============ ======== ======= =================\r\n Workstation 6.x Windows not affected\r\n Workstation 6.x Linux 6.0.4 build 93057\r\n Workstation 5.x Windows not affected\r\n Workstation 5.x Linux 5.5.7 build 91707\r\n\r\n Player 2.x Windows not affected\r\n Player 2.x Linux 2.0.4 build 93057\r\n Player 1.x Windows not affected\r\n Player 1.x Linux 1.0.7 build 91707\r\n\r\n ACE 2.x Windows not affected\r\n ACE 1.x Windows not affected\r\n\r\n Server 1.x Windows not affected\r\n Server 1.x Linux 1.0.6 build 91891\r\n\r\n Fusion 1.x Mac OS/X not affected\r\n\r\n ESXi 3.5 ESXi ESXe350-200805501-I-SG\r\n\r\n ESX 3.5 ESX ESX350-200805515-SG\r\n ESX 3.0.2 ESX ESX-1004821\r\n ESX 3.0.1 ESX ESX-1004728\r\n ESX 2.5.5 ESX ESX 2.5.5 update patch 8\r\n ESX 2.5.4 ESX ESX 2.5.4 update patch 19\r\n\r\n c. Openwsman Invalid Content-Length Vulnerability\r\n\r\n Openwsman is a system management platform that implements the Web\r\n Services Management protocol (WS-Management). It is installed and\r\n running by default. It is used in the VMware Management Service\r\n Console and in ESXi.\r\n\r\n The openwsman management service on ESX 3.5 and ESXi 3.5 is vulnerable\r\n to a privilege escalation vulnerability, which may allow users with\r\n non-privileged ESX or Virtual Center accounts to gain root privileges.\r\n\r\n To exploit this vulnerability, an attacker would need a local ESX\r\n account or a VirtualCenter account with the Host.Cim.CimInteraction\r\n permission.\r\n\r\n Systems with no local ESX accounts and no VirtualCenter accounts with\r\n the Host.Cim.CimInteraction permission are not vulnerable.\r\n\r\n This vulnerability cannot be exploited by users without valid login\r\n credentials.\r\n\r\n Discovery: Alexander Sotirov, VMware Security Research\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2008-2097 to this issue.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============ ======== ======= =================\r\n hosted any any not affected\r\n\r\n ESXi 3.5 ESXi ESXe350-200805501-I-SG\r\n\r\n ESX 3.5 ESX ESX350-200805508-SG\r\n ESX 3.0.2 ESX not affected\r\n ESX 3.0.1 ESX not affected\r\n ESX 2.5.5 ESX not affected\r\n ESX 2.5.4 ESX not affected\r\n\r\n NOTE: VMware hosted products are not affected by this issue.\r\n\r\n d. VMware VIX Application Programming Interface (API) Memory Overflow\r\nVulnerabilities\r\n\r\n The VIX API (also known as "Vix") is an API that lets users write scripts\r\n and programs to manipulate virtual machines.\r\n\r\n Multiple buffer overflow vulnerabilities are present in the VIX API.\r\n Exploitation of these vulnerabilities might result in code execution on\r\n the host system or on the service console in ESX Server from the guest\r\n operating system.\r\n\r\n The VIX API can be enabled and disabled using the "vix.inGuest.enable"\r\n setting in the VMware configuration file. This default value for this\r\n setting is "disabled". This configuration setting is present in the\r\n following products:\r\n VMware Workstation 6.0.2 and higher\r\n VMware ACE 6.0.2 and higher\r\n VMware Server 1.06 and higher\r\n VMware Fusion 1.1.2 and higher\r\n ESX Server 3.0 and higher\r\n ESX Server 3.5 and higher\r\n In previous versions of VMware products where the VIX API was introduced,\r\n the VIX API couldn't be disabled.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2008-2100 to this issue.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============ ======== ======= =================\r\n VIX API 1.1.x Windows VMware-vix-1.1.4-93057.exe\r\n VIX API 1.1.x Linux VMware-vix-1.1.4-93057.i386.tar.gz\r\n VIX API 1.1.x Linux64 VMware-vix-1.1.4-93057.x86_64.tar.gz\r\n\r\n Workstation 6.x Windows 6.0.4 build 93057\r\n Workstation 6.x Linux 6.0.4 build 93057\r\n Workstation 5.x Windows 5.5.7 build 91707\r\n Workstation 5.x Linux 5.5.7 build 91707\r\n\r\n Player 2.x Windows 2.0.4 build 93057\r\n Player 2.x Linux 2.0.4 build 93057\r\n Player 1.x Windows 1.0.6 build 91707\r\n Player 1.x Linux 1.0.6 build 91707\r\n\r\n ACE 2.x Windows 2.0.4 build 93057\r\n ACE 1.x Windows not affected\r\n\r\n Server 1.x Windows 1.0.6 build 91891\r\n Server 1.x Linux 1.0.6 build 91891\r\n\r\n Fusion 1.x Mac OS/X 1.1.2 build 87978 or later\r\n\r\n ESXi 3.5 ESXi ESXe350-200805501-I-SG,\r\n ESXe350-200805502-T-SG\r\n\r\n ESX 3.5 ESX ESX350-200805501-BG\r\n ESX 3.0.2 ESX ESX-1004216, ESX-1004726, ESX-1004727\r\n ESX 3.0.1 ESX ESX-1004186, ESX-1004725\r\n ESX 2.5.5 ESX not affected\r\n ESX 2.5.4 ESX not affected\r\n\r\n\r\nII Service Console rpm updates\r\n\r\n NOTE: ESXi and hosted products are not affected by any service console\r\n security updates\r\n\r\n a. Security update for cyrus-sasl\r\n\r\n Updated cyrus-sasl package for the ESX Service Console corrects a security\r\n issue found in the DIGEST-MD5 authentication mechanism of Cyrus'\r\n implementation of Simple Authentication and Security Layer (SASL). As a\r\n result of this issue in the authentication mechanism, a remote\r\n unauthenticated attacker might be able to cause a denial of service error\r\n on the service console.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\n assigned the name CVE-2006-1721 to this issue.\r\n\r\n RPMs Updated:\r\n cyrus-sasl-2.1.15-15.i386.rpm\r\n cyrus-sasl-md5-2.1.15-1.i386.rpm\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============ ======== ======= =================\r\n hosted any any not affected\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX 3.5 ESX ESX350-200805504-SG\r\n ESX 3.0.2 ESX ESX-1004722\r\n ESX 3.0.1 ESX ESX-1004721\r\n ESX 2.5.5 ESX not affected\r\n ESX 2.5.4 ESX not affected\r\n\r\n b. Security update for tcltk\r\n\r\n An input validation flaw was discovered in Tk's GIF image handling. A\r\n code-size value read from a GIF image was not properly validated before\r\n being used, leading to a buffer overflow. A specially crafted GIF file\r\n could use this to cause a crash or, potentially, execute code with the\r\n privileges of the application using the Tk graphical toolkit.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\n assigned the name CVE-2008-0553 to this issue.\r\n\r\n A buffer overflow flaw was discovered in Tk's animated GIF image handling.\r\n An animated GIF containing an initial image smaller than subsequent images\r\n could cause a crash or, potentially, execute code with the privileges of\r\n the application using the Tk library.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\n assigned the name CVE-2007-5378 to this issue.\r\n\r\n A flaw first discovered in the Tcl regular expression engine used in the\r\n PostgreSQL database server, resulted in an infinite loop when processing\r\n certain regular expressions.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\n assigned the name CVE-2007-4772 to this issue.\r\n\r\n RPM Updated:\r\n tcl-8.3.5-92.8.i386.rpm\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============ ======== ======= =================\r\n hosted any any not affected\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX 3.5 ESX ESX350-200805506-SG\r\n ESX 3.0.2 ESX ESX-1004724\r\n ESX 3.0.1 ESX ESX-1004723\r\n ESX 2.5.5 ESX ESX 2.5.5 Upgrade Patch 8\r\n ESX 2.5.4 ESX ESX 2.5.4 Upgrade Patch 19\r\n\r\n c. Security update for unzip\r\n\r\n This patch includes a moderate security update to the service console that\r\n fixes a flaw in unzip. An attacker could execute malicious code with a\r\n user's privileges if the user ran unzip on a file designed to leverage\r\n this flaw.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has\r\n assigned the name CVE-2008-0888 to this issue.\r\n\r\n RPM Updated:\r\n Unzip-5.50-36.EL3.i386.rpm\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============ ======== ======= =================\r\n hosted any any not affected\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX 3.5 ESX ESX350-200805505-SG\r\n ESX 3.0.2 ESX ESX-1004719\r\n ESX 3.0.1 ESX ESX-1004190\r\n ESX 2.5.5 ESX ESX 2.5.5 Upgrade Patch 8\r\n ESX 2.5.4 ESX ESX 2.5.4 Upgrade Patch 19\r\n\r\n d. Security update for krb5\r\n\r\n KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable\r\n for some krb4 message types, which allows remote attackers to\r\n cause a denial of service (crash) and possibly execute arbitrary\r\n code via crafted messages that trigger a NULL pointer dereference\r\n or double-free.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2008-0062 to this issue.\r\n\r\n NOTE: ESX doesn't contain the krb5kdc binary and is not vulnerable\r\n to this issue.\r\n\r\n The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not\r\n properly clear the unused portion of a buffer when generating an\r\n error message, which might allow remote attackers to obtain\r\n sensitive information, aka "Uninitialized stack values."\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2008-0063 to this issue.\r\n\r\n NOTE: ESX doesn't contain the krb5kdc binary and is not vulnerable\r\n to this issue.\r\n\r\n Buffer overflow in the RPC library (lib/rpc/rpc_dtablesize.c) used\r\n by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.2.2, and probably\r\n other versions before 1.3, when running on systems whose unistd.h\r\n does not define the FD_SETSIZE macro, allows remote attackers to cause\r\n a denial of service (crash) and possibly execute arbitrary code by\r\n triggering a large number of open file descriptors.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2008-0948 to this issue.\r\n\r\n RPM Updated:\r\n krb5-libs-1.2.7-68.i386.rpm\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============ ======== ======= =================\r\n hosted any any not affected\r\n\r\n ESXi 3.5 ESXi not affected\r\n\r\n ESX 3.5 ESX ESX350-200805507-SG\r\n ESX 3.0.2 ESX ESX-1004219\r\n ESX 3.0.1 ESX ESX-1004189\r\n ESX 2.5.5 ESX ESX 2.5.5 Upgrade Patch 8\r\n ESX 2.5.4 ESX ESX 2.5.4 Upgrade Patch 19\r\n\r\n4. Solution:\r\n\r\nPlease review the release notes for your product and version and verify the\r\nmd5sum of your downloaded file.\r\n\r\n VMware Workstation 6.0.4\r\n ------------------------\r\n http://www.vmware.com/download/ws/\r\n Release notes:\r\n http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html\r\n\r\n Windows binary\r\n md5sum: f50a05831e94c19d98f363c752fca5f9\r\n\r\n RPM Installation file for 32-bit Linux\r\n md5sum: e7793b14b995d3b505f093c84e849421\r\n\r\n tar Installation file for 32-bit Linux\r\n md5sum: a0a8e1d8188f4be03357872a57a767ab\r\n\r\n RPM Installation file for 64-bit Linux\r\n md5sum: 960d753038a268b8f101f4b853c0257e\r\n\r\n tar Installation file for 64-bit Linux\r\n md5sum: 4697ec8a9d6c1152d785f3b77db9d539\r\n\r\n VMware Workstation 5.5.7\r\n ------------------------\r\n http://www.vmware.com/download/ws/ws5.html\r\n Release notes:\r\n http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html\r\n\r\n Windows binary:\r\n md5sum: 4c6a6653b7296240197aac048591c659\r\n\r\n Compressed Tar archive for 32-bit Linux\r\n md5sum: 8fc15d72031489cf5cd5d47b966787e6\r\n\r\n Linux RPM version for 32-bit Linux\r\n md5sum: f0872fe447ac654a583af16b2f4bba3f\r\n\r\n\r\n VMware Player 2.0.4 and 1.0.7\r\n -----------------------------\r\n http://www.vmware.com/download/player/\r\n Release notes Player 1.x:\r\n http://www.vmware.com/support/player/doc/releasenotes_player.html\r\n Release notes Player 2.0\r\n http://www.vmware.com/support/player2/doc/releasenotes_player2.html\r\n\r\n 2.0.4 Windows binary\r\n md5sum: a117664a8bfa7336b846117e5fc048dd\r\n\r\n VMware Player 2.0.4 for Linux (.rpm)\r\n md5sum: de6ab6364a0966b68eadda2003561cd2\r\n\r\n VMware Player 2.0.4 for Linux (.tar)\r\n md5sum: 9e1c2bfda6b22a3fc195a86aec11903a\r\n\r\n VMware Player 2.0.4 - 64-bit (.rpm)\r\n md5sum: 997e5ceffe72f9ce9146071144dacafa\r\n\r\n VMware Player 2.0.4 - 64-bit (.tar)\r\n md5sum: 18eb4ee49dd7e33ec155ef69d7d259ef\r\n\r\n 1.0.7 Windows binary\r\n md5sum: 51114b3b433dc1b3bf3e434aebbf2b9c\r\n\r\n Player 1.0.7 for Linux (.rpm)\r\n md5sum: 3b5f97a37df3b984297fa595a5cdba9c\r\n\r\n Player 1.0.7 for Linux (.tar)\r\n md5sum: b755739144944071492a16fa20f86a51\r\n\r\n\r\n VMware ACE\r\n ----------\r\n http://www.vmware.com/download/ace/\r\n Release notes 2.0:\r\n http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html\r\n\r\n VMware-workstation-6.0.4-93057.exe\r\n md5sum: f50a05831e94c19d98f363c752fca5f9\r\n\r\n VMware-ACE-Management-Server-Appliance-2.0.4-93057.zip\r\n md5sum: d2ae2246f3d87268cf84c1421d94e86c\r\n\r\n VMware-ACE-Management-Server-2.0.4-93057.exe\r\n md5sum: 41b31b3392d5da2cef77a7bb28654dbf\r\n\r\n VMware-ACE-Management-Server-2.0.4-93057.i386-rhel4.rpm\r\n md5sum: 9920be4c33773df53a1728b41af4b109\r\n\r\n VMware-ACE-Management-Server-2.0.4-93057.i386-sles9.rpm\r\n md5sum: 4ec4c37203db863e8844460b5e80920b\r\n\r\n Release notes 1.x:\r\n http://www.vmware.com/support/ace/doc/releasenotes_ace.html\r\n\r\n VMware-ACE-1.0.6-89199.exe\r\n md5sum: 110f6e24842a0d154d9ec55ef9225f4f\r\n\r\n\r\n VMware Server 1.0.6\r\n -------------------\r\n http://www.vmware.com/download/server/\r\n Release notes:\r\n http://www.vmware.com/support/server/doc/releasenotes_server.html\r\n\r\n VMware Server for Windows 32-bit and 64-bit\r\n md5sum: 3e00d5cfae123d875e4298bddabf12f5\r\n\r\n VMware Server Windows client package\r\n md5sum: 64f3fc1b4520626ae465237d7ec4773e\r\n\r\n VMware Server for Linux\r\n md5sum: 46ea876bfb018edb6602a921f6597245\r\n\r\n VMware Server for Linux rpm\r\n md5sum: 9d2f0af908aba443ef80bec8f7ef3485\r\n\r\n Management Interface\r\n md5sum: 1b3daabbbb49a036fe49f53f812ef64b\r\n\r\n VMware Server Linux client package\r\n md5sum: 185e5b174659f366fcb38b1c4ad8d3c6\r\n\r\n\r\n VMware Fusion 1.1.3\r\n --------------\r\n http://www.vmware.com/download/fusion/\r\n Release notes:\r\n http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html\r\n md5sum: D15A3DFD3E7B11FC37AC684586086D\r\n\r\n\r\n VMware VIX 1.1.4\r\n ----------------\r\n http://www.vmware.com/support/developer/vix-api/\r\n Release notes:\r\n http://www.vmware.com/support/pubs/vix-api/VIXAPI-1.1.4-Release-Notes.html\r\n VMware-vix-1.1.4-93057.exe\r\n md5sum: 2efb74618c7ead627ecb3b3033e3f9f6\r\n\r\n VMware-vix-1.1.4-93057.i386.tar.gz\r\n md5sum: 988df2b2bbc975a6fc11f27ad1519832\r\n\r\n VMware-vix-1.1.4-93057.x86_64.tar.gz\r\n md5sum: a64f951c6fb5b2795a29a5a7607059c0\r\n\r\n\r\n ESXi\r\n ----\r\n VMware ESXi 3.5 patch ESXe350-200805501-O-SG (authd, openwsman, VIX)\r\n http://download3.vmware.com/software/esx/ESXe350-200805501-O-SG.zip\r\n md5sum: 4ce06985d520e94243db1e0504a56d8c\r\n http://kb.vmware.com/kb/1005073\r\n http://kb.vmware.com/kb/1004173\r\n http://kb.vmware.com/kb/1004172\r\n\r\n NOTE: ESXe350-200805501-O-SG contains the following patch bundles:\r\n ESXe350-200805501-I-SG, ESXe350-200805502-T-SG,\r\n ESXe350-200805503-C-SG\r\n\r\n\r\n ESX\r\n ---\r\n VMware ESX 3.5 patch ESX350-200805515-SG (authd)\r\n http://download3.vmware.com/software/esx/ESX350-200805515-SG.zip\r\n md5sum: 324b50ade230bcd5079a76e3636163c5\r\n http://kb.vmware.com/kb/1004170\r\n\r\n VMware ESX 3.5 patch ESX350-200805508-SG (openwsman)\r\n http://download3.vmware.com/software/esx/ESX350-200805508-SG.zip\r\n md5sum: 3ff8c06d4a9dd406f64f89c51bf26d12\r\n http://kb.vmware.com/kb/1004644\r\n\r\n VMware ESX 3.5 patch ESX350-200805501-BG (VIX)\r\n http://download3.vmware.com/software/esx/ESX350-200805501-BG.zip\r\n md5sum: 31a620aa249c593c30015b5b6f8c8650\r\n http://kb.vmware.com/kb/1004637\r\n\r\n VMware ESX 3.5 patch ESX350-200805504-SG (cyrus-sasl)\r\n http://download3.vmware.com/software/esx/ESX350-200805504-SG.zip\r\n md5sum: 4c1b1a8dcb09a636b55c64c290f7de51\r\n http://kb.vmware.com/kb/1004640\r\n\r\n VMware ESX 3.5 patch ESX350-200805506-SG (tcltk)\r\n http://download3.vmware.com/software/esx/ESX350-200805506-SG.zip\r\n md5sum: af279eef8fdeddb7808630da1ae717b1\r\n http://kb.vmware.com/kb/1004642\r\n\r\n VMware ESX 3.5 patch ESX350-200805505-SG (unzip)\r\n http://download3.vmware.com/software/esx/ESX350-200805505-SG.zip\r\n md5sum: 07af82d9fd97cccb89d9b90c6ecc41c6\r\n http://kb.vmware.com/kb/1004641\r\n\r\n VMware ESX 3.5 patch ESX350-200805507-SG (krb5)\r\n http://download3.vmware.com/software/esx/ESX350-200805507-SG.zip\r\n md5sum: 5d35a1c470daf13c9f4df5bdc9438748\r\n http://kb.vmware.com/kb/1004643\r\n\r\n VMware ESX 3.0.2 patch ESX-1004727 (HGFS,VIX)\r\n http://download3.vmware.com/software/vi/ESX-1004727.tgz\r\n md5sum: 31a67b0fa3449747887945f8d370f19e\r\n http://kb.vmware.com/kb/1004727\r\n\r\n VMware ESX 3.0.2 patch ESX-1004821 (authd)\r\n http://download3.vmware.com/software/vi/ESX-1004821.tgz\r\n md5sum: 5c147bedd07245c903d44257522aeba1\r\n http://kb.vmware.com/kb/1004821\r\n\r\n VMware ESX 3.0.2 patch ESX-1004216 (VIX)\r\n http://download3.vmware.com/software/vi/ESX-1004216.tgz\r\n md5sum: 0784ef70420d28a9a5d6113769f6669a\r\n http://kb.vmware.com/kb/1004216\r\n\r\n VMware ESX 3.0.2 patch ESX-1004726 (VIX)\r\n http://download3.vmware.com/software/vi/ESX-1004726.tgz\r\n md5sum: 44f03b274867b534cd274ccdf4630b86\r\n http://kb.vmware.com/kb/1004726\r\n\r\n VMware ESX 3.0.2 patch ESX-1004722 (cyrus-sasl)\r\n http://download3.vmware.com/software/vi/ESX-1004722.tgz\r\n md5sum: 99dc71aed5bab7711f573b6d322123d6\r\n http://kb.vmware.com/kb/1004722\r\n\r\n VMware ESX 3.0.2 patch ESX-1004724 (tcltk)\r\n http://download3.vmware.com/software/vi/ESX-1004724.tgz\r\n md5sum: fd9a160ca7baa5fc443f2adc8120ecf7\r\n http://kb.vmware.com/kb/1004724\r\n\r\n VMware ESX 3.0.2 patch ESX-1004719 (unzip)\r\n http://download3.vmware.com/software/vi/ESX-1004719.tgz\r\n md5sum: f0c37b9f6be3399536d60f6c6944de82\r\n http://kb.vmware.com/kb/1004719\r\n\r\n VMware ESX 3.0.2 patch ESX-1004219 (krb5)\r\n http://download3.vmware.com/software/vi/ESX-1004219.tgz\r\n md5sum: 7c68279762f407a7a5ee151a650ebfd4\r\n http://kb.vmware.com/kb/1004219\r\n\r\n VMware ESX 3.0.1 patch ESX-1004186 (HGFS,VIX)\r\n http://download3.vmware.com/software/vi/ESX-1004186.tgz\r\n md5sum: f64389a8b97718eccefadce1a14d1198\r\n http://kb.vmware.com/kb/1004186\r\n\r\n VMware ESX 3.0.1 patch ESX-1004728 (authd)\r\n http://download3.vmware.com/software/vi/ESX-1004728.tgz\r\n md5sum: 1f01bb819805b855ffa2ec1040eff5ca\r\n http://kb.vmware.com/kb/1004728\r\n\r\n VMware ESX 3.0.1 patch ESX-1004725 (VIX)\r\n http://download3.vmware.com/software/vi/ESX-1004725.tgz\r\n md5sum: 9fafb04c6d3f6959e623832f539d2dc8\r\n http://kb.vmware.com/kb/1004725\r\n\r\n VMware ESX 3.0.1 patch ESX-1004721 (cyrus-sasl)\r\n http://download3.vmware.com/software/vi/ESX-1004721.tgz\r\n md5sum: 48190819b0f5afddefcb8d209d12b585\r\n http://kb.vmware.com/kb/1004721\r\n\r\n VMware ESX 3.0.1 patch ESX-1004723 (tcltk)\r\n http://download3.vmware.com/software/vi/ESX-1004723.tgz\r\n md5sum: c34ca0a5886e0c0917a93a97c331fd7d\r\n http://kb.vmware.com/kb/1004723\r\n\r\n VMware ESX 3.0.1 patch ESX-1004190 (unzip)\r\n http://download3.vmware.com/software/vi/ESX-1004190.tgz\r\n md5sum: 05187b9f534048c79c62741367cc0dd2\r\n http://kb.vmware.com/kb/1004190\r\n\r\n VMware ESX 3.0.1 patch ESX-1004189 (krb5)\r\n http://download3.vmware.com/software/vi/ESX-1004189.tgz\r\n md5sum: 21b620530b99009f469c872e73a439e8\r\n http://kb.vmware.com/kb/1004189\r\n\r\n VMware ESX 2.5.5 Upgrade Patch 8\r\n http://download3.vmware.com/software/esx/esx-2.5.5-90521-upgrade.tar.gz\r\n md5sum: 392b6947fc3600ca0e8e7788cd5bbb6e\r\n http://vmware.com/support/esx25/doc/esx-255-200805-patch.html\r\n\r\n VMware ESX 2.5.4 Upgrade Patch 19\r\n http://download3.vmware.com/software/esx/esx-2.5.4-90520-upgrade.tar.gz\r\n md5sum: 442788fd0bccb0d994c75b268bd12760\r\n http://vmware.com/support/esx25/doc/esx-254-200805-patch.html\r\n\r\n5. References:\r\n\r\n CVE numbers\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5671\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0967\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2097\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2100\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0553\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5378\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4772\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0888\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0948\r\n\r\n6. Change log:\r\n\r\n2008-06-04 VMSA-2008-0009 Initial release\r\n\r\n- -------------------------------------------------------------------\r\n7. Contact:\r\n\r\nE-mail list for product security notifications and announcements:\r\nhttp://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce\r\n\r\nThis Security Advisory is posted to the following lists:\r\n\r\n * security-announce@lists.vmware.com\r\n * bugtraq@securityfocus.com\r\n * full-disclosure@lists.grok.org.uk\r\n\r\nE-mail: security@vmware.com\r\nPGP key at: http://kb.vmware.com/kb/1055\r\n\r\nVMware Security Center\r\nhttp://www.vmware.com/security\r\n\r\nVMware security response policy\r\nhttp://www.vmware.com/support/policies/security_response.html\r\n\r\nGeneral support life cycle policy\r\nhttp://www.vmware.com/support/policies/eos.html\r\n\r\nVMware Infrastructure support life cycle policy\r\nhttp://www.vmware.com/support/policies/eos_vi.html\r\n\r\nCopyright 2008 VMware Inc. All rights reserved.\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.7 (GNU/Linux)\r\n\r\niD8DBQFIRs08S2KysvBH1xkRCMxFAJ0WJX76quFzCV+avwupq3Lu72UKigCfRftj\r\nCZvxoXw/sZxDCSDjVzYAhrA=\r\n=s04s\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2008-06-05T00:00:00", "title": "VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2008-0967", "CVE-2008-0063", "CVE-2008-0553", "CVE-2008-0948", "CVE-2008-0888", "CVE-2007-5378", "CVE-2006-1721", "CVE-2008-2097", "CVE-2007-4772", "CVE-2008-2100", "CVE-2007-5671", "CVE-2008-0062"], "modified": "2008-06-05T00:00:00", "id": "SECURITYVULNS:DOC:19969", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19969", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "vmware": [{"lastseen": "2019-11-06T16:05:52", "description": "a. VMware Tools Local Privilege Escalation on Windows-based guest OS \n \nThe VMware Tools Package provides support required for shared folders \n(HGFS) and other features. \n \nAn input validation error is present in the Windows-based VMware \nHGFS.sys driver. Exploitation of this flaw might result in \narbitrary code execution on the guest system by an unprivileged \nguest user. It doesn't matter on what host the Windows guest OS \nis running, as this is a guest driver vulnerability and not a \nvulnerability on the host. \n \nThe HGFS.sys driver is present in the guest operating system if the \nVMware Tools package is loaded. Even if the host has HGFS disabled \nand has no shared folders, Windows-based guests may be affected. This \nis regardless if a host supports HGFS. \n \nThis issue could be mitigated by removing the VMware Tools package \nfrom Windows based guests. However this is not recommended as it \nwould impact usability of the product. \n \nNOTE: Installing the new hosted release or ESX patches will not \nremediate the issue. The VMware Tools packages will need \nto be updated on each Windows-based guest followed by a \nreboot of the guest system. \n \nVMware would like to thank iDefense and Stephen Fewer of Harmony \nSecurity for reporting this issue to us. \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) \nhas assigned the name CVE-2007-5671 to this issue. \n \nVMware Product Running Replace with/ \nProduct Version on Apply Patch \n============ ======== ======= ================= \nWorkstation 6.x Windows not affected \nWorkstation 6.x Linux not affected \nWorkstation 5.x Windows 5.5.6 build 80404 or later \nWorkstation 5.x Linux 5.5.6 build 80404 or later \n \nPlayer 2.x Windows not affected \nPlayer 2.x Linux not affected \nPlayer 1.x Windows 1.0.6 build 80404 or later \nPlayer 1.x Linux 1.0.6 build 80404 or later \n \nACE 2.x Windows not affected \nACE 1.x Windows 1.0.5 build 79846 or later \n \nServer 1.x Windows 1.0.5 build 80187 or later \nServer 1.x Linux 1.0.5 build 80187 or later \n \nFusion 1.x Mac OS/X not affected \n \nESXi 3.5 ESXi not affected \n \nESX 3.5 ESX not affected \nESX 3.0.2 ESX ESX-1004727 \nESX 3.0.1 ESX ESX-1004186 \nESX 2.5.5 ESX ESX 2.5.5 upgrade patch 5 or later \nESX 2.5.4 ESX ESX 2.5.4 upgrade patch 16 or later \n\n", "cvss3": {}, "published": "2008-06-04T00:00:00", "type": "vmware", "title": "Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2008-0967", "CVE-2008-0063", "CVE-2008-0553", "CVE-2008-0948", "CVE-2008-0888", "CVE-2007-5378", "CVE-2006-1721", "CVE-2008-2097", "CVE-2007-4772", "CVE-2008-2100", "CVE-2007-5671", "CVE-2008-0062"], "modified": "2008-07-23T00:00:00", "id": "VMSA-2008-0009", "href": "https://www.vmware.com/security/advisories/VMSA-2008-0009.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-26T00:57:09", "description": "a. VMware Tools Local Privilege Escalation on Windows-based guest OS The VMware Tools Package provides support required for shared folders (HGFS) and other features. An input validation error is present in the Windows-based VMware HGFS.sys driver. Exploitation of this flaw might result in arbitrary code execution on the guest system by an unprivileged guest user. It doesn't matter on what host the Windows guest OS is running, as this is a guest driver vulnerability and not a vulnerability on the host. The HGFS.sys driver is present in the guest operating system if the VMware Tools package is loaded. Even if the host has HGFS disabled and has no shared folders, Windows-based guests may be affected. This is regardless if a host supports HGFS. This issue could be mitigated by removing the VMware Tools package from Windows based guests. However this is not recommended as it would impact usability of the product. NOTE: Installing the new hosted release or ESX patches will not remediate the issue. The VMware Tools packages will need to be updated on each Windows-based guest followed by a reboot of the guest system. VMware would like to thank iDefense and Stephen Fewer of Harmony Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5671 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============ ======== ======= ================= Workstation 6.x Windows not affected Workstation 6.x Linux not affected Workstation 5.x Windows 5.5.6 build 80404 or later Workstation 5.x Linux 5.5.6 build 80404 or later Player 2.x Windows not affected Player 2.x Linux not affected Player 1.x Windows 1.0.6 build 80404 or later Player 1.x Linux 1.0.6 build 80404 or later ACE 2.x Windows not affected ACE 1.x Windows 1.0.5 build 79846 or later Server 1.x Windows 1.0.5 build 80187 or later Server 1.x Linux 1.0.5 build 80187 or later Fusion 1.x Mac OS/X not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX not affected ESX 3.0.2 ESX ESX-1004727 ESX 3.0.1 ESX ESX-1004186 ESX 2.5.5 ESX ESX 2.5.5 upgrade patch 5 or later ESX 2.5.4 ESX ESX 2.5.4 upgrade patch 16 or later", "cvss3": {}, "published": "2008-06-04T00:00:00", "type": "vmware", "title": "Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-1721", "CVE-2007-4772", "CVE-2007-5378", "CVE-2007-5671", "CVE-2008-0062", "CVE-2008-0063", "CVE-2008-0553", "CVE-2008-0888", "CVE-2008-0948", "CVE-2008-0967", "CVE-2008-2097", "CVE-2008-2100"], "modified": "2008-07-23T00:00:00", "id": "VMSA-2008-0009.2", "href": "https://www.vmware.com/security/advisories/VMSA-2008-0009.2.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2022-01-17T19:11:53", "description": "### Background\n\nVMware Player, Server, and Workstation allow emulation of a complete PC on a PC without the usual performance overhead of most emulators. \n\n### Description\n\nMultiple vulnerabilities have been discovered in VMware Player, Server, and Workstation. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nLocal users may be able to gain escalated privileges, cause a Denial of Service, or gain sensitive information. \n\nA remote attacker could entice a user to open a specially crafted file, possibly resulting in the remote execution of arbitrary code, or a Denial of Service. Remote attackers also may be able to spoof DNS traffic, read arbitrary files, or inject arbitrary web script to the VMware Server Console. \n\nFurthermore, guest OS users may be able to execute arbitrary code on the host OS, gain escalated privileges on the guest OS, or cause a Denial of Service (crash the host OS). \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nGentoo discontinued support for VMware Player. We recommend that users unmerge VMware Player: \n \n \n # emerge --unmerge \"app-emulation/vmware-player\"\n \n\nNOTE: Users could upgrade to \u201c>=app-emulation/vmware-player-3.1.5\u201d, however these packages are not currently stable. \n\nGentoo discontinued support for VMware Workstation. We recommend that users unmerge VMware Workstation: \n \n \n # emerge --unmerge \"app-emulation/vmware-workstation\"\n \n\nNOTE: Users could upgrade to \u201c>=app-emulation/vmware-workstation-7.1.5\u201d, however these packages are not currently stable. \n\nGentoo discontinued support for VMware Server. We recommend that users unmerge VMware Server: \n \n \n # emerge --unmerge \"app-emulation/vmware-server\"", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 4.0}, "published": "2012-09-29T00:00:00", "type": "gentoo", "title": "VMware Player, Server, Workstation: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-5269", "CVE-2007-5503", "CVE-2007-5671", "CVE-2008-0967", "CVE-2008-1340", "CVE-2008-1361", "CVE-2008-1362", "CVE-2008-1363", "CVE-2008-1364", "CVE-2008-1392", "CVE-2008-1447", "CVE-2008-1806", "CVE-2008-1807", "CVE-2008-1808", "CVE-2008-2098", "CVE-2008-2100", "CVE-2008-2101", "CVE-2008-4915", "CVE-2008-4916", "CVE-2008-4917", "CVE-2009-0040", "CVE-2009-0909", "CVE-2009-0910", "CVE-2009-1244", "CVE-2009-2267", "CVE-2009-3707", "CVE-2009-3732", "CVE-2009-3733", "CVE-2009-4811", "CVE-2010-1137", "CVE-2010-1138", "CVE-2010-1139", "CVE-2010-1140", "CVE-2010-1141", "CVE-2010-1142", "CVE-2010-1143", "CVE-2011-3868"], "modified": "2012-09-29T00:00:00", "id": "GLSA-201209-25", "href": "https://security.gentoo.org/glsa/201209-25", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

VMware Tools Local Privilege Escalation Vulnerability (Linux)

Description

Related