VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Windows)
2010-04-16T00:00:00
ID OPENVAS:801320 Type openvas Reporter Copyright (c) 2010 Greenbone Networks GmbH Modified 2017-02-21T00:00:00
Description
The host is installed with VMWare products and are prone to
information disclosure vulnerability.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_vmware_prdts_vmx_info_disc_vuln_win.nasl 5388 2017-02-21 15:13:30Z teissa $
#
# VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Windows)
#
# Authors:
# Antu Sanadi <santu@secpod.com>
#
# Copyright:
# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
tag_impact = "Successful exploitation will allow attacker to disclose potentially sensitive
information.
Impact Level: System/Application";
tag_solution = "For Upgrades refer the below link,
http://www.vmware.com/security/advisories/VMSA-2010-0007.html";
tag_affected = "VMware Server 2.x,
Vmware Player 3.0 before 3.0.1 build 227600,
VMware Player 2.5.x before 2.5.4 build 246459,
VMware Workstation 7.0 before 7.0.1 build 227600,
VMware Workstation 6.5.x before 6.5.4 build 246459 and
VMware ACE 2.6 before 2.6.1 build 227600 and 2.5.x before 2.5.4 build 246459";
tag_insight = "The flaw is due to error in 'virtual networking stack' when interacting between the
guest OS and host 'vmware-vmx' process, which allows attackers to obtain sensitive
information from memory on the host OS by examining received network packets.";
tag_summary = "The host is installed with VMWare products and are prone to
information disclosure vulnerability.";
if(description)
{
script_id(801320);
script_version("$Revision: 5388 $");
script_tag(name:"last_modification", value:"$Date: 2017-02-21 16:13:30 +0100 (Tue, 21 Feb 2017) $");
script_tag(name:"creation_date", value:"2010-04-16 16:17:26 +0200 (Fri, 16 Apr 2010)");
script_cve_id("CVE-2010-1138");
script_bugtraq_id(39395);
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_name("VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Windows)");
script_xref(name : "URL" , value : "http://secunia.com/advisories/39215");
script_xref(name : "URL" , value : "http://secunia.com/advisories/39206");
script_xref(name : "URL" , value : "http://lists.vmware.com/pipermail/security-announce/2010/000090.html");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
script_family("General");
script_dependencies("gb_vmware_prdts_detect_win.nasl");
script_require_keys("VMware/Win/Installed");
script_tag(name : "impact" , value : tag_impact);
script_tag(name : "affected" , value : tag_affected);
script_tag(name : "insight" , value : tag_insight);
script_tag(name : "summary" , value : tag_summary);
script_tag(name : "solution" , value : tag_solution);
script_tag(name:"qod_type", value:"registry");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("version_func.inc");
if(!get_kb_item("VMware/Win/Installed")){
exit(0);
}
# Check for VMware Player
vmplayerVer = get_kb_item("VMware/Player/Win/Ver");
if(vmplayerVer != NULL )
{
if(version_is_equal(version:vmplayerVer, test_version:"3.0.0") ||
version_in_range(version:vmplayerVer, test_version:"2.5", test_version2:"2.5.3"))
{
security_message(0);
exit(0);
}
}
#Check for VMware Workstation
vmworkstnVer = get_kb_item("VMware/Workstation/Win/Ver");
if(vmworkstnVer != NULL)
{
if(version_is_equal(version:vmworkstnVer, test_version:"7.0.0") ||
version_in_range(version:vmworkstnVer, test_version:"6.5", test_version2:"6.5.3"))
{
security_message(0);
exit(0);
}
}
# VMware ACE
aceVer = get_kb_item("VMware/ACE/Win/Ver");
if(!aceVer)
{
aceVer = get_kb_item("VMware/ACE\Dormant/Win/Ver");
if(aceVer)
{
if(version_is_equal(version:aceVer, test_version:"2.6.0") ||
version_in_range(version:aceVer, test_version:"2.5", test_version2:"2.5.3"))
{
security_message(0);
exit(0);
}
}
}
# VMware Server
vmserVer = get_kb_item("VMware/Server/Win/Ver");
if(vmserVer)
{
if(vmserVer =~ "^2.*"){
security_message(0);
}
}
{"bulletinFamily": "scanner", "viewCount": 0, "naslFamily": "General", "reporter": "Copyright (c) 2010 Greenbone Networks GmbH", "references": ["http://lists.vmware.com/pipermail/security-announce/2010/000090.html", "http://secunia.com/advisories/39215", "http://secunia.com/advisories/39206"], "description": "The host is installed with VMWare products and are prone to\n information disclosure vulnerability.", "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "88e6c287df6df85a8a6117a49dd79426"}, {"key": "cvss", "hash": "a792e2393dff1e200b885c5245988f6f"}, {"key": "description", "hash": "d6f919121a9e12319e7e8fa4f993a111"}, {"key": "href", "hash": "4658ca5e838830e191d6b0273b116a81"}, {"key": "modified", "hash": "7565f612f72abcf2c0cdd09cd5df5785"}, {"key": "naslFamily", "hash": "0db377921f4ce762c62526131097968f"}, {"key": "pluginID", "hash": "471b0aadcc2b575d11fb4239b5e2314b"}, {"key": "published", "hash": "efa29d12ffe48f719ed7f1a45c706152"}, {"key": "references", "hash": "054a9b37107aacc7ee516f30c2a60e0d"}, {"key": "reporter", "hash": "82db6d7eefdc19955bb78be9fb178ae1"}, {"key": "sourceData", "hash": "a1e0d6e713eb35a39e07ddb6672af2ea"}, {"key": "title", "hash": "adc02fa1e0134124e3e2afc12c0b8d1f"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "href": "http://plugins.openvas.org/nasl.php?oid=801320", "modified": "2017-02-21T00:00:00", "objectVersion": "1.3", "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-1138"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801320", "OPENVAS:1361412562310801321", "OPENVAS:801321", "OPENVAS:1361412562310103467", "OPENVAS:103467", "OPENVAS:72459", "OPENVAS:136141256231072459"]}, {"type": "nessus", "idList": ["VMWARE_MULTIPLE_VMSA_2010_0007.NASL", "VMWARE_VMSA-2010-0007.NASL", "GENTOO_GLSA-201209-25.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:23603", "SECURITYVULNS:VULN:10754"]}, {"type": "vmware", "idList": ["VMSA-2010-0007"]}, {"type": "gentoo", "idList": ["GLSA-201209-25"]}], "modified": "2017-07-02T21:09:51"}, "vulnersScore": 5.0}, "id": "OPENVAS:801320", "title": "VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Windows)", "hash": "121e648d8e23b402774e31d300e050a2a58fc799c7e313a55138b90ae8ca3ee0", "edition": 1, "published": "2010-04-16T00:00:00", "type": "openvas", "history": [], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "cvelist": ["CVE-2010-1138"], "lastseen": "2017-07-02T21:09:51", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_prdts_vmx_info_disc_vuln_win.nasl 5388 2017-02-21 15:13:30Z teissa $\n#\n# VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to disclose potentially sensitive\n information.\n Impact Level: System/Application\";\ntag_solution = \"For Upgrades refer the below link,\n http://www.vmware.com/security/advisories/VMSA-2010-0007.html\";\n\ntag_affected = \"VMware Server 2.x,\n Vmware Player 3.0 before 3.0.1 build 227600,\n VMware Player 2.5.x before 2.5.4 build 246459,\n VMware Workstation 7.0 before 7.0.1 build 227600,\n VMware Workstation 6.5.x before 6.5.4 build 246459 and\n VMware ACE 2.6 before 2.6.1 build 227600 and 2.5.x before 2.5.4 build 246459\";\ntag_insight = \"The flaw is due to error in 'virtual networking stack' when interacting between the \n guest OS and host 'vmware-vmx' process, which allows attackers to obtain sensitive\n information from memory on the host OS by examining received network packets.\";\ntag_summary = \"The host is installed with VMWare products and are prone to\n information disclosure vulnerability.\";\n\nif(description)\n{\n script_id(801320);\n script_version(\"$Revision: 5388 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-21 16:13:30 +0100 (Tue, 21 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-04-16 16:17:26 +0200 (Fri, 16 Apr 2010)\");\n script_cve_id(\"CVE-2010-1138\");\n script_bugtraq_id(39395);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Windows)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/39215\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/39206\");\n script_xref(name : \"URL\" , value : \"http://lists.vmware.com/pipermail/security-announce/2010/000090.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_require_keys(\"VMware/Win/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/Win/Installed\")){\n exit(0);\n}\n\n# Check for VMware Player\nvmplayerVer = get_kb_item(\"VMware/Player/Win/Ver\");\nif(vmplayerVer != NULL )\n{\n if(version_is_equal(version:vmplayerVer, test_version:\"3.0.0\") ||\n version_in_range(version:vmplayerVer, test_version:\"2.5\", test_version2:\"2.5.3\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n\n#Check for VMware Workstation\nvmworkstnVer = get_kb_item(\"VMware/Workstation/Win/Ver\");\nif(vmworkstnVer != NULL)\n{\n if(version_is_equal(version:vmworkstnVer, test_version:\"7.0.0\") ||\n version_in_range(version:vmworkstnVer, test_version:\"6.5\", test_version2:\"6.5.3\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n# VMware ACE\naceVer = get_kb_item(\"VMware/ACE/Win/Ver\");\nif(!aceVer)\n{\n aceVer = get_kb_item(\"VMware/ACE\\Dormant/Win/Ver\");\n if(aceVer)\n {\n if(version_is_equal(version:aceVer, test_version:\"2.6.0\") ||\n version_in_range(version:aceVer, test_version:\"2.5\", test_version2:\"2.5.3\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n\n# VMware Server\nvmserVer = get_kb_item(\"VMware/Server/Win/Ver\");\nif(vmserVer)\n{\n if(vmserVer =~ \"^2.*\"){\n security_message(0);\n }\n}\n", "pluginID": "801320"}
{"cve": [{"lastseen": "2016-09-03T13:42:05", "bulletinFamily": "NVD", "description": "The virtual networking stack in VMware Workstation 7.0 before 7.0.1 build 227600, VMware Workstation 6.5.x before 6.5.4 build 246459 on Windows, VMware Player 3.0 before 3.0.1 build 227600, VMware Player 2.5.x before 2.5.4 build 246459 on Windows, VMware ACE 2.6 before 2.6.1 build 227600 and 2.5.x before 2.5.4 build 246459, VMware Server 2.x, and VMware Fusion 3.0 before 3.0.1 build 232708 and 2.x before 2.0.7 build 246742 allows remote attackers to obtain sensitive information from memory on the host OS by examining received network packets, related to interaction between the guest OS and the host vmware-vmx process.", "modified": "2013-05-14T23:07:56", "published": "2010-04-12T14:30:00", "id": "CVE-2010-1138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1138", "type": "cve", "title": "CVE-2010-1138", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2017-07-02T21:09:50", "bulletinFamily": "scanner", "description": "The host is installed with VMWare products and are prone to\n information disclosure vulnerability.", "modified": "2017-02-21T00:00:00", "published": "2010-04-16T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=801321", "id": "OPENVAS:801321", "title": "VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_prdts_vmx_info_disc_vuln_lin.nasl 5388 2017-02-21 15:13:30Z teissa $\n#\n# VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to disclose potentially sensitive\n information.\n Impact Level: System/Application\";\ntag_solution = \"For Upgrades refer the below link,\n http://www.vmware.com/security/advisories/VMSA-2010-0007.html\";\n\ntag_affected = \"VMware Server 2.x,\n Vmware Player 3.0 before 3.0.1 build 227600,\n VMware Player 2.5.x before 2.5.4 build 246459,\n VMware Workstation 7.0 before 7.0.1 build 227600,\n VMware Workstation 6.5.x before 6.5.4 build 246459 and\n VMware ACE 2.6 before 2.6.1 build 227600 and 2.5.x before 2.5.4 build 246459 on Linux\";\ntag_insight = \"The flaw is due to error in 'virtual networking stack' when interacting between the \n guest OS and host 'vmware-vmx' process, which allows attackers to obtain sensitive\n information from memory on the host OS by examining received network packets.\";\ntag_summary = \"The host is installed with VMWare products and are prone to\n information disclosure vulnerability.\";\n\nif(description)\n{\n script_id(801321);\n script_version(\"$Revision: 5388 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-21 16:13:30 +0100 (Tue, 21 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-04-16 16:17:26 +0200 (Fri, 16 Apr 2010)\");\n script_cve_id(\"CVE-2010-1138\");\n script_bugtraq_id(39395);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Linux)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/39215\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/39206\");\n script_xref(name : \"URL\" , value : \"http://lists.vmware.com/pipermail/security-announce/2010/000090.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_require_keys(\"VMware/Linux/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/Linux/Installed\")){\n exit(0);\n}\n\n# Check for VMware Player\nvmplayerVer = get_kb_item(\"VMware/Player/Linux/Ver\");\nif(vmplayerVer != NULL )\n{\n if(version_is_equal(version:vmplayerVer, test_version:\"3.0.0\") ||\n version_in_range(version:vmplayerVer, test_version:\"2.5\", test_version2:\"2.5.3\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n#Check for VMware Workstation\nvmworkstnVer = get_kb_item(\"VMware/Workstation/Linux/Ver\");\nif(vmworkstnVer != NULL)\n{\n if(version_is_equal(version:vmworkstnVer, test_version:\"7.0.0\") ||\n version_in_range(version:vmworkstnVer, test_version:\"6.5\", test_version2:\"6.5.3\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n# VMware Server\nvmserVer = get_kb_item(\"VMware/Server/Linux/Ver\");\nif(vmserVer)\n{\n if(vmserVer =~ \"^2.*\"){\n security_message(0);\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-03-20T22:45:33", "bulletinFamily": "scanner", "description": "The host is installed with VMWare products and are prone to\n information disclosure vulnerability.", "modified": "2019-03-19T00:00:00", "published": "2010-04-16T00:00:00", "id": "OPENVAS:1361412562310801321", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801321", "title": "VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_prdts_vmx_info_disc_vuln_lin.nasl 14331 2019-03-19 14:03:05Z jschulte $\n#\n# VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801321\");\n script_version(\"$Revision: 14331 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 15:03:05 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2010-04-16 16:17:26 +0200 (Fri, 16 Apr 2010)\");\n script_cve_id(\"CVE-2010-1138\");\n script_bugtraq_id(39395);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Linux)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/39215\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/39206\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2010-0007.html\");\n script_xref(name:\"URL\", value:\"http://lists.vmware.com/pipermail/security-announce/2010/000090.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"VMware/Linux/Installed\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to disclose potentially sensitive\n information.\");\n script_tag(name:\"affected\", value:\"VMware Server 2.x,\n Vmware Player 3.0 before 3.0.1 build 227600,\n VMware Player 2.5.x before 2.5.4 build 246459,\n VMware Workstation 7.0 before 7.0.1 build 227600,\n VMware Workstation 6.5.x before 6.5.4 build 246459 and\n VMware ACE 2.6 before 2.6.1 build 227600 and 2.5.x before 2.5.4 build 246459 on Linux\");\n script_tag(name:\"insight\", value:\"The flaw is due to error in 'virtual networking stack' when interacting between the\n guest OS and host 'vmware-vmx' process, which allows attackers to obtain sensitive\n information from memory on the host OS by examining received network packets.\");\n script_tag(name:\"summary\", value:\"The host is installed with VMWare products and are prone to\n information disclosure vulnerability.\");\n script_tag(name:\"solution\", value:\"Apply upgrades.\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/Linux/Installed\")){\n exit(0);\n}\n\nvmplayerVer = get_kb_item(\"VMware/Player/Linux/Ver\");\nif(vmplayerVer != NULL )\n{\n if(version_is_equal(version:vmplayerVer, test_version:\"3.0.0\") ||\n version_in_range(version:vmplayerVer, test_version:\"2.5\", test_version2:\"2.5.3\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\nvmworkstnVer = get_kb_item(\"VMware/Workstation/Linux/Ver\");\nif(vmworkstnVer != NULL)\n{\n if(version_is_equal(version:vmworkstnVer, test_version:\"7.0.0\") ||\n version_in_range(version:vmworkstnVer, test_version:\"6.5\", test_version2:\"6.5.3\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n# VMware Server\nvmserVer = get_kb_item(\"VMware/Server/Linux/Ver\");\nif(vmserVer)\n{\n if(vmserVer =~ \"^2.*\"){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-03-20T22:45:33", "bulletinFamily": "scanner", "description": "The host is installed with VMWare products and are prone to\n information disclosure vulnerability.", "modified": "2019-03-19T00:00:00", "published": "2010-04-16T00:00:00", "id": "OPENVAS:1361412562310801320", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801320", "title": "VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_prdts_vmx_info_disc_vuln_win.nasl 14331 2019-03-19 14:03:05Z jschulte $\n#\n# VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801320\");\n script_version(\"$Revision: 14331 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-19 15:03:05 +0100 (Tue, 19 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2010-04-16 16:17:26 +0200 (Fri, 16 Apr 2010)\");\n script_cve_id(\"CVE-2010-1138\");\n script_bugtraq_id(39395);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"VMware Products 'vmware-vmx' Information Disclosure Vulnerability (Windows)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/39215\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/39206\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2010-0007.html\");\n script_xref(name:\"URL\", value:\"http://lists.vmware.com/pipermail/security-announce/2010/000090.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"VMware/Win/Installed\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to disclose potentially sensitive\n information.\");\n script_tag(name:\"affected\", value:\"VMware Server 2.x,\n Vmware Player 3.0 before 3.0.1 build 227600,\n VMware Player 2.5.x before 2.5.4 build 246459,\n VMware Workstation 7.0 before 7.0.1 build 227600,\n VMware Workstation 6.5.x before 6.5.4 build 246459 and\n VMware ACE 2.6 before 2.6.1 build 227600 and 2.5.x before 2.5.4 build 246459\");\n script_tag(name:\"insight\", value:\"The flaw is due to error in 'virtual networking stack' when interacting between the\n guest OS and host 'vmware-vmx' process, which allows attackers to obtain sensitive\n information from memory on the host OS by examining received network packets.\");\n script_tag(name:\"summary\", value:\"The host is installed with VMWare products and are prone to\n information disclosure vulnerability.\");\n script_tag(name:\"solution\", value:\"Apply updates.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/Win/Installed\")){\n exit(0);\n}\n\nvmplayerVer = get_kb_item(\"VMware/Player/Win/Ver\");\nif(vmplayerVer != NULL )\n{\n if(version_is_equal(version:vmplayerVer, test_version:\"3.0.0\") ||\n version_in_range(version:vmplayerVer, test_version:\"2.5\", test_version2:\"2.5.3\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n\nvmworkstnVer = get_kb_item(\"VMware/Workstation/Win/Ver\");\nif(vmworkstnVer != NULL)\n{\n if(version_is_equal(version:vmworkstnVer, test_version:\"7.0.0\") ||\n version_in_range(version:vmworkstnVer, test_version:\"6.5\", test_version2:\"6.5.3\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n# VMware ACE\naceVer = get_kb_item(\"VMware/ACE/Win/Ver\");\nif(!aceVer)\n{\n aceVer = get_kb_item(\"VMware/ACE\\Dormant/Win/Ver\");\n if(aceVer)\n {\n if(version_is_equal(version:aceVer, test_version:\"2.6.0\") ||\n version_in_range(version:aceVer, test_version:\"2.5\", test_version2:\"2.5.3\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n\n# VMware Server\nvmserVer = get_kb_item(\"VMware/Server/Win/Ver\");\nif(vmserVer)\n{\n if(vmserVer =~ \"^2.*\"){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-03-15T12:35:01", "bulletinFamily": "scanner", "description": "The remote ESXi is missing one or more security related Updates from VMSA-2010-0007.", "modified": "2019-03-14T00:00:00", "published": "2012-04-16T00:00:00", "id": "OPENVAS:1361412562310103467", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103467", "title": "VMSA-2010-0007: VMware hosted products, vCenter Server and ESX patches resolve multiple security issues", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_VMSA-2010-0007.nasl 14187 2019-03-14 14:09:52Z cfischer $\n#\n# VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103467\");\n script_cve_id(\"CVE-2010-1142\", \"CVE-2010-1140\", \"CVE-2009-2042\", \"CVE-2009-1564\", \"CVE-2009-1565\",\n \"CVE-2009-3732\", \"CVE-2009-3707\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1141\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"$Revision: 14187 $\");\n script_name(\"VMSA-2010-0007: VMware hosted products, vCenter Server and ESX patches resolve multiple security issues\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 15:09:52 +0100 (Thu, 14 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-16 10:53:01 +0100 (Mon, 16 Apr 2012)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esxi_init.nasl\");\n script_mandatory_keys(\"VMware/ESXi/LSC\", \"VMware/ESX/version\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2010-0007.html\");\n\n script_tag(name:\"summary\", value:\"The remote ESXi is missing one or more security related Updates from VMSA-2010-0007.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation 7.0,\n\n VMware Workstation 6.5.3 and earlier,\n\n VMware Player 3.0,\n\n VMware Player 2.5.3 and earlier,\n\n VMware ACE 2.6,\n\n VMware ACE 2.5.3 and earlier,\n\n VMware Server 2.0.2 and earlier,\n\n VMware Fusion 3.0,\n\n VMware Fusion 2.0.6 and earlier,\n\n VMware VIX API for Windows 1.6.x,\n\n VMware ESXi 4.0 before patch ESXi400-201002402-BG\n\n VMware ESXi 3.5 before patch ESXe350-200912401-T-BG\n\n VMware ESX 4.0 without patches ESX400-201002401-BG, ESX400-200911223-UG\n\n VMware ESX 3.5 without patch ESX350-200912401-BG\n\n VMware ESX 3.0.3 without patch ESX303-201002203-UG\n\n VMware ESX 2.5.5 without Upgrade Patch 15.\");\n\n script_tag(name:\"impact\", value:\"a. Windows-based VMware Tools Unsafe Library Loading vulnerability\n\n In order for an attacker to exploit the vulnerability, the attacker would need to lure the user that is logged on a Windows Guest\n Operating System to click on the attacker's file on a network share. This file could be in any file format. The attacker will need\n to have the ability to host their malicious files on a network share.\n\n b. Windows-based VMware Tools Arbitrary Code Execution vulnerability\n\n In order for an attacker to exploit the vulnerability, the attacker would need to be able to plant their malicious executable in a\n certain location on the Virtual Machine of the user. On most recent versions of Windows (XP, Vista) the attacker would need to have\n administrator privileges to plant the malicious executable in the right location.\n\n c. Windows-based VMware Workstation and Player host privilege escalation\n\n In order for an attacker to exploit the vulnerability, the attacker would need to be able to plant their malicious executable in a\n certain location on the host machine. On most recent versions of Windows (XP, Vista) the attacker would need to have administrator\n privileges to plant the malicious executable in the right location.\n\n e. VMware VMnc Codec heap overflow vulnerabilities\n\n Vulnerabilities in the decoder allow for execution of arbitrary code with the privileges of the user running an application\n utilizing the vulnerable codec.\n\n For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file on\n a system that has the vulnerable version of the VMnc codec installed.\n\n f. VMware Remote Console format string vulnerability\n\n For an attack to be successful, an attacker would need to trick the VMrc user into opening a malicious Web page or following a malicious\n URL. Code execution would be at the privilege level of the user.\n\n h. Potential information leak via hosted networking stack\n\n A guest operating system could send memory from the host vmware-vmx process to the virtual network adapter and potentially to the\n host's physical Ethernet wire.\n\n i. Linux-based vmrun format string vulnerability\n\n If a vmrun command is issued and processes are listed, code could be executed in the context of the user listing the processes.\");\n\n script_tag(name:\"insight\", value:\"VMware hosted products, vCenter Server and ESX patches resolve multiple security issues:\n\n a. Windows-based VMware Tools Unsafe Library Loading vulnerability\n\n A vulnerability in the way VMware libraries are referenced allows for arbitrary code execution in the context of the logged on user.\n This vulnerability is present only on Windows Guest Operating Systems.\n\n b. Windows-based VMware Tools Arbitrary Code Execution vulnerability\n\n A vulnerability in the way VMware executables are loaded allows for arbitrary code execution in the context of the logged on user.\n This vulnerability is present only on Windows Guest Operating Systems.\n\n c. Windows-based VMware Workstation and Player host privilege escalation\n\n A vulnerability in the USB service allows for a privilege escalation. A local attacker on the host of a Windows-based Operating\n System where VMware Workstation or VMware Player is installed could plant a malicious executable on the host and elevate their\n privileges.\n\n d. Third party library update for libpng to version 1.2.37\n\n The libpng libraries through 1.2.35 contain an uninitialized-memory-read bug that may have security implications. Specifically,\n 1-bit (2-color) interlaced images whose widths are not divisible by 8 may result in several uninitialized bits at the end of\n certain rows in certain interlace passes being returned to the user. An application that failed to mask these out-of-bounds\n pixels might display or process them, albeit presumably with benign results in most cases.\n\n e. VMware VMnc Codec heap overflow vulnerabilities\n\n f. VMware Remote Console format string vulnerability\n\n VMware Remote Console (VMrc) contains a format string vulnerability. Exploitation of this issue may lead to arbitrary code execution on\n the system where VMrc is installed.\n\n Under the following two conditions your version of VMrc is likely to be affected:\n\n - the VMrc plug-in was obtained from vCenter 4.0 or from ESX 4.0 without patch ESX400-200911223-UG and\n\n - VMrc is installed on a Windows-based system\n\n g. Windows-based VMware authd remote denial of service\n\n A vulnerability in vmware-authd could cause a denial of service condition on Windows-based hosts. The denial of service is limited\n to a crash of authd.\n\n h. Potential information leak via hosted networking stack\n\n A vulnerability in the virtual networking stack of VMware hosted products could allow host information disclosure.\n\n i. Linux-based vmrun format string vulnerability\n\n A format string vulnerability in vmrun could allow arbitrary code execution.\");\n\n script_tag(name:\"solution\", value:\"Apply the missing patch(es).\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\"); # Used in _esxi_patch_missing()\ninclude(\"vmware_esx.inc\");\n\nif(!get_kb_item('VMware/ESXi/LSC'))exit(0);\nif(! esxVersion = get_kb_item(\"VMware/ESX/version\"))exit(0);\n\npatches = make_array(\"4.0.0\",\"ESXi400-201002402-BG\");\n\nif(!patches[esxVersion])exit(0);\n\nif(_esxi_patch_missing(esxi_version:esxVersion, patch:patches[esxVersion])) {\n security_message(port:0);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-30T10:47:49", "bulletinFamily": "scanner", "description": "The remote ESXi is missing one or more security related Updates from VMSA-2010-0007.\n\nSummary\nVMware hosted products, vCenter Server and ESX patches resolve multiple security issues\n\nRelevant releases\n\nVMware Workstation 7.0,\nVMware Workstation 6.5.3 and earlier,\nVMware Player 3.0,\nVMware Player 2.5.3 and earlier,\nVMware ACE 2.6,\nVMware ACE 2.5.3 and earlier,\nVMware Server 2.0.2 and earlier,\nVMware Fusion 3.0,\nVMware Fusion 2.0.6 and earlier,\nVMware VIX API for Windows 1.6.x,\nVMware ESXi 4.0 before patch ESXi400-201002402-BG\nVMware ESXi 3.5 before patch ESXe350-200912401-T-BG\nVMware ESX 4.0 without patches ESX400-201002401-BG, ESX400-200911223-UG\nVMware ESX 3.5 without patch ESX350-200912401-BG\nVMware ESX 3.0.3 without patch ESX303-201002203-UG\nVMware ESX 2.5.5 without Upgrade Patch 15.\n\nProblem Description\n\na. Windows-based VMware Tools Unsafe Library Loading vulnerability\n\n A vulnerability in the way VMware libraries are referenced allows\n for arbitrary code execution in the context of the logged on user.\n This vulnerability is present only on Windows Guest Operating\n Systems.\n\n In order for an attacker to exploit the vulnerability, the attacker\n would need to lure the user that is logged on a Windows Guest\n Operating System to click on the attacker's file on a network\n share. This file could be in any file format. The attacker will\n need to have the ability to host their malicious files on a\n network share.\n\nb. Windows-based VMware Tools Arbitrary Code Execution vulnerability\n\n A vulnerability in the way VMware executables are loaded allows for\n arbitrary code execution in the context of the logged on user. This\n vulnerability is present only on Windows Guest Operating Systems.\n\n In order for an attacker to exploit the vulnerability, the attacker\n would need to be able to plant their malicious executable in a\n certain location on the Virtual Machine of the user. On most\n recent versions of Windows (XP, Vista) the attacker would need to\n have administrator privileges to plant the malicious executable in\n the right location.\n\nc. Windows-based VMware Workstation and Player host privilege\n escalation\n\n A vulnerability in the USB service allows for a privilege\n escalation. A local attacker on the host of a Windows-based\n Operating System where VMware Workstation or VMware Player\n is installed could plant a malicious executable on the host and\n elevate their privileges.\n\n In order for an attacker to exploit the vulnerability, the attacker\n would need to be able to plant their malicious executable in a\n certain location on the host machine. On most recent versions of\n Windows (XP, Vista) the attacker would need to have administrator\n privileges to plant the malicious executable in the right location.\n\nd. Third party library update for libpng to version 1.2.37\n\n The libpng libraries through 1.2.35 contain an uninitialized-\n memory-read bug that may have security implications.\n Specifically, 1-bit (2-color) interlaced images whose widths are\n not divisible by 8 may result in several uninitialized bits at the\n end of certain rows in certain interlace passes being returned to\n the user. An application that failed to mask these out-of-bounds\n pixels might display or process them, albeit presumably with benign\n results in most cases.\n\ne. VMware VMnc Codec heap overflow vulnerabilities\n\n The VMware movie decoder contains the VMnc media codec that is\n required to play back movies recorded with VMware Workstation,\n VMware Player and VMware ACE, in any compatible media player. The\n movie decoder is installed as part of VMware Workstation, VMware\n Player and VMware ACE, or can be downloaded as a stand alone\n package.\n\n Vulnerabilities in the decoder allow for execution of arbitrary\n code with the privileges of the user running an application\n utilizing the vulnerable codec.\n\n For an attack to be successful the user must be tricked into\n visiting a malicious web page or opening a malicious video file on\n a system that has the vulnerable version of the VMnc codec installed.\n\nf. VMware Remote Console format string vulnerability\n\n VMware Remote Console (VMrc) contains a format string vulnerability.\n Exploitation of this issue may lead to arbitrary code execution on\n the system where VMrc is installed.\n\n For an attack to be successful, an attacker would need to trick the\n VMrc user into opening a malicious Web page or following a malicious\n URL. Code execution would be at the privilege level of the user.\n\n VMrc is present on a system if the VMrc browser plug-in has been\n installed. This plug-in is required when using the console feature in\n WebAccess. Installation of the plug-in follows after visiting the\n console tab in WebAccess and choosing 'Install plug-in'. The plug-\n in can only be installed on Internet Explorer and Firefox.\n\n Under the following two conditions your version of VMrc is likely\n to be affected:\n\n - the VMrc plug-in was obtained from vCenter 4.0 or from ESX 4.0\n without patch ESX400-200911223-UG and\n - VMrc is installed on a Windows-based system\n\ng. Windows-based VMware authd remote denial of service\n\n A vulnerability in vmware-authd could cause a denial of service\n condition on Windows-based hosts. The denial of service is limited\n to a crash of authd.\n\nh. Potential information leak via hosted networking stack\n\n A vulnerability in the virtual networking stack of VMware hosted\n products could allow host information disclosure.\n\n A guest operating system could send memory from the host vmware-vmx\n process to the virtual network adapter and potentially to the\n host's physical Ethernet wire.\n\ni. Linux-based vmrun format string vulnerability\n\n A format string vulnerability in vmrun could allow arbitrary code\n execution.\n\n If a vmrun command is issued and processes are listed, code could\n be executed in the context of the user listing the processes.\n\nSolution\nApply the missing patch(es).", "modified": "2017-10-26T00:00:00", "published": "2012-04-16T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=103467", "id": "OPENVAS:103467", "title": "VMSA-2010-0007: VMware hosted products, vCenter Server and ESX patches resolve multiple security issues", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_VMSA-2010-0007.nasl 7583 2017-10-26 12:07:01Z cfischer $\n#\n# VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"The remote ESXi is missing one or more security related Updates from VMSA-2010-0007.\n\nSummary\nVMware hosted products, vCenter Server and ESX patches resolve multiple security issues\n\nRelevant releases\n\nVMware Workstation 7.0,\nVMware Workstation 6.5.3 and earlier,\nVMware Player 3.0,\nVMware Player 2.5.3 and earlier,\nVMware ACE 2.6,\nVMware ACE 2.5.3 and earlier,\nVMware Server 2.0.2 and earlier,\nVMware Fusion 3.0,\nVMware Fusion 2.0.6 and earlier,\nVMware VIX API for Windows 1.6.x,\nVMware ESXi 4.0 before patch ESXi400-201002402-BG\nVMware ESXi 3.5 before patch ESXe350-200912401-T-BG\nVMware ESX 4.0 without patches ESX400-201002401-BG, ESX400-200911223-UG\nVMware ESX 3.5 without patch ESX350-200912401-BG\nVMware ESX 3.0.3 without patch ESX303-201002203-UG\nVMware ESX 2.5.5 without Upgrade Patch 15.\n\nProblem Description\n\na. Windows-based VMware Tools Unsafe Library Loading vulnerability\n\n A vulnerability in the way VMware libraries are referenced allows\n for arbitrary code execution in the context of the logged on user.\n This vulnerability is present only on Windows Guest Operating\n Systems.\n\n In order for an attacker to exploit the vulnerability, the attacker\n would need to lure the user that is logged on a Windows Guest\n Operating System to click on the attacker's file on a network\n share. This file could be in any file format. The attacker will\n need to have the ability to host their malicious files on a\n network share.\n\nb. Windows-based VMware Tools Arbitrary Code Execution vulnerability\n\n A vulnerability in the way VMware executables are loaded allows for\n arbitrary code execution in the context of the logged on user. This\n vulnerability is present only on Windows Guest Operating Systems.\n\n In order for an attacker to exploit the vulnerability, the attacker\n would need to be able to plant their malicious executable in a\n certain location on the Virtual Machine of the user. On most\n recent versions of Windows (XP, Vista) the attacker would need to\n have administrator privileges to plant the malicious executable in\n the right location.\n\nc. Windows-based VMware Workstation and Player host privilege\n escalation\n\n A vulnerability in the USB service allows for a privilege\n escalation. A local attacker on the host of a Windows-based\n Operating System where VMware Workstation or VMware Player\n is installed could plant a malicious executable on the host and\n elevate their privileges.\n\n In order for an attacker to exploit the vulnerability, the attacker\n would need to be able to plant their malicious executable in a\n certain location on the host machine. On most recent versions of\n Windows (XP, Vista) the attacker would need to have administrator\n privileges to plant the malicious executable in the right location.\n\nd. Third party library update for libpng to version 1.2.37\n\n The libpng libraries through 1.2.35 contain an uninitialized-\n memory-read bug that may have security implications.\n Specifically, 1-bit (2-color) interlaced images whose widths are\n not divisible by 8 may result in several uninitialized bits at the\n end of certain rows in certain interlace passes being returned to\n the user. An application that failed to mask these out-of-bounds\n pixels might display or process them, albeit presumably with benign\n results in most cases.\n\ne. VMware VMnc Codec heap overflow vulnerabilities\n\n The VMware movie decoder contains the VMnc media codec that is\n required to play back movies recorded with VMware Workstation,\n VMware Player and VMware ACE, in any compatible media player. The\n movie decoder is installed as part of VMware Workstation, VMware\n Player and VMware ACE, or can be downloaded as a stand alone\n package.\n\n Vulnerabilities in the decoder allow for execution of arbitrary\n code with the privileges of the user running an application\n utilizing the vulnerable codec.\n\n For an attack to be successful the user must be tricked into\n visiting a malicious web page or opening a malicious video file on\n a system that has the vulnerable version of the VMnc codec installed.\n\nf. VMware Remote Console format string vulnerability\n\n VMware Remote Console (VMrc) contains a format string vulnerability.\n Exploitation of this issue may lead to arbitrary code execution on\n the system where VMrc is installed.\n\n For an attack to be successful, an attacker would need to trick the\n VMrc user into opening a malicious Web page or following a malicious\n URL. Code execution would be at the privilege level of the user.\n\n VMrc is present on a system if the VMrc browser plug-in has been\n installed. This plug-in is required when using the console feature in\n WebAccess. Installation of the plug-in follows after visiting the\n console tab in WebAccess and choosing 'Install plug-in'. The plug-\n in can only be installed on Internet Explorer and Firefox.\n\n Under the following two conditions your version of VMrc is likely\n to be affected:\n\n - the VMrc plug-in was obtained from vCenter 4.0 or from ESX 4.0\n without patch ESX400-200911223-UG and\n - VMrc is installed on a Windows-based system\n\ng. Windows-based VMware authd remote denial of service\n\n A vulnerability in vmware-authd could cause a denial of service\n condition on Windows-based hosts. The denial of service is limited\n to a crash of authd.\n\nh. Potential information leak via hosted networking stack\n\n A vulnerability in the virtual networking stack of VMware hosted\n products could allow host information disclosure.\n\n A guest operating system could send memory from the host vmware-vmx\n process to the virtual network adapter and potentially to the\n host's physical Ethernet wire.\n\ni. Linux-based vmrun format string vulnerability\n\n A format string vulnerability in vmrun could allow arbitrary code\n execution.\n\n If a vmrun command is issued and processes are listed, code could\n be executed in the context of the user listing the processes.\n\nSolution\nApply the missing patch(es).\";\n\n\nif (description)\n{\n script_id(103467);\n script_cve_id(\"CVE-2010-1142\", \"CVE-2010-1140\", \"CVE-2009-2042\", \"CVE-2009-1564\", \"CVE-2009-1565\", \"CVE-2009-3732\", \"CVE-2009-3707\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1141\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version (\"$Revision: 7583 $\");\n script_name(\"VMSA-2010-0007: VMware hosted products, vCenter Server and ESX patches resolve multiple security issues\");\n\n\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-26 14:07:01 +0200 (Thu, 26 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-16 10:53:01 +0100 (Mon, 16 Apr 2012)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esxi_init.nasl\");\n script_mandatory_keys(\"VMware/ESXi/LSC\",\"VMware/ESX/version\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://www.vmware.com/security/advisories/VMSA-2010-0007.html\");\n exit(0);\n}\n\ninclude(\"version_func.inc\"); # Used in _esxi_patch_missing()\ninclude(\"vmware_esx.inc\");\n\nif(!get_kb_item('VMware/ESXi/LSC'))exit(0);\nif(! esxVersion = get_kb_item(\"VMware/ESX/version\"))exit(0);\n\npatches = make_array(\"4.0.0\",\"ESXi400-201002402-BG\");\n\nif(!patches[esxVersion])exit(0);\n\nif(_esxi_patch_missing(esxi_version:esxVersion, patch:patches[esxVersion])) {\n\n security_message(port:0);\n exit(0);\n\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:51:01", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 201209-25.", "modified": "2017-07-07T00:00:00", "published": "2012-10-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=72459", "id": "OPENVAS:72459", "title": "Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)", "type": "openvas", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities have been found in VMware Player, Server,\nand Workstation, allowing remote and local attackers to conduct several\nattacks, including privilege escalation, remote execution of arbitrary\ncode, and a Denial of Service.\";\ntag_solution = \"Gentoo discontinued support for VMware Player. We recommend that users\nunmerge VMware Player:\n\n # emerge --unmerge 'app-emulation/vmware-player'\n \n\nNOTE: Users could upgrade to > =app-emulation/vmware-player-3.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Workstation. We recommend that\nusers unmerge VMware Workstation:\n\n # emerge --unmerge 'app-emulation/vmware-workstation'\n \n\nNOTE: Users could upgrade to > =app-emulation/vmware-workstation-7.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Server. We recommend that users\n unmerge VMware Server:\n\n # emerge --unmerge 'app-emulation/vmware-server'\n \n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20201209-25\nhttp://bugs.gentoo.org/show_bug.cgi?id=213548\nhttp://bugs.gentoo.org/show_bug.cgi?id=224637\nhttp://bugs.gentoo.org/show_bug.cgi?id=236167\nhttp://bugs.gentoo.org/show_bug.cgi?id=245941\nhttp://bugs.gentoo.org/show_bug.cgi?id=265139\nhttp://bugs.gentoo.org/show_bug.cgi?id=282213\nhttp://bugs.gentoo.org/show_bug.cgi?id=297367\nhttp://bugs.gentoo.org/show_bug.cgi?id=335866\nhttp://bugs.gentoo.org/show_bug.cgi?id=385727\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 201209-25.\";\n\n \n \nif(description)\n{\n script_id(72459);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2007-5269\", \"CVE-2007-5503\", \"CVE-2007-5671\", \"CVE-2008-0967\", \"CVE-2008-1340\", \"CVE-2008-1361\", \"CVE-2008-1362\", \"CVE-2008-1363\", \"CVE-2008-1364\", \"CVE-2008-1392\", \"CVE-2008-1447\", \"CVE-2008-1806\", \"CVE-2008-1807\", \"CVE-2008-1808\", \"CVE-2008-2098\", \"CVE-2008-2100\", \"CVE-2008-2101\", \"CVE-2008-4915\", \"CVE-2008-4916\", \"CVE-2008-4917\", \"CVE-2009-0040\", \"CVE-2009-0909\", \"CVE-2009-0910\", \"CVE-2009-1244\", \"CVE-2009-2267\", \"CVE-2009-3707\", \"CVE-2009-3732\", \"CVE-2009-3733\", \"CVE-2009-4811\", \"CVE-2010-1137\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1140\", \"CVE-2010-1141\", \"CVE-2010-1142\", \"CVE-2010-1143\", \"CVE-2011-3868\");\n script_version(\"$Revision: 6593 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:18:14 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-10-03 11:11:29 -0400 (Wed, 03 Oct 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-player\", unaffected: make_list(), vulnerable: make_list(\"le 2.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-workstation\", unaffected: make_list(), vulnerable: make_list(\"le 6.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-server\", unaffected: make_list(), vulnerable: make_list(\"le 1.0.9.156507\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:43:28", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 201209-25.", "modified": "2018-10-12T00:00:00", "published": "2012-10-03T00:00:00", "id": "OPENVAS:136141256231072459", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231072459", "title": "Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa_201209_25.nasl 11859 2018-10-12 08:53:01Z cfischer $\n#\n# Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.72459\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2007-5269\", \"CVE-2007-5503\", \"CVE-2007-5671\", \"CVE-2008-0967\", \"CVE-2008-1340\", \"CVE-2008-1361\", \"CVE-2008-1362\", \"CVE-2008-1363\", \"CVE-2008-1364\", \"CVE-2008-1392\", \"CVE-2008-1447\", \"CVE-2008-1806\", \"CVE-2008-1807\", \"CVE-2008-1808\", \"CVE-2008-2098\", \"CVE-2008-2100\", \"CVE-2008-2101\", \"CVE-2008-4915\", \"CVE-2008-4916\", \"CVE-2008-4917\", \"CVE-2009-0040\", \"CVE-2009-0909\", \"CVE-2009-0910\", \"CVE-2009-1244\", \"CVE-2009-2267\", \"CVE-2009-3707\", \"CVE-2009-3732\", \"CVE-2009-3733\", \"CVE-2009-4811\", \"CVE-2010-1137\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1140\", \"CVE-2010-1141\", \"CVE-2010-1142\", \"CVE-2010-1143\", \"CVE-2011-3868\");\n script_version(\"$Revision: 11859 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 10:53:01 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-10-03 11:11:29 -0400 (Wed, 03 Oct 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been found in VMware Player, Server,\nand Workstation, allowing remote and local attackers to conduct several\nattacks, including privilege escalation, remote execution of arbitrary\ncode, and a Denial of Service.\");\n script_tag(name:\"solution\", value:\"Gentoo discontinued support for VMware Player. We recommend that users\nunmerge VMware Player:\n\n # emerge --unmerge 'app-emulation/vmware-player'\n\n\nNOTE: Users could upgrade to > =app-emulation/vmware-player-3.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Workstation. We recommend that\nusers unmerge VMware Workstation:\n\n # emerge --unmerge 'app-emulation/vmware-workstation'\n\n\nNOTE: Users could upgrade to > =app-emulation/vmware-workstation-7.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Server. We recommend that users\n unmerge VMware Server:\n\n # emerge --unmerge 'app-emulation/vmware-server'\");\n\n script_xref(name:\"URL\", value:\"http://www.securityspace.com/smysecure/catid.html?in=GLSA%20201209-25\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=213548\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=224637\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=236167\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=245941\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=265139\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=282213\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=297367\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=335866\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=385727\");\n script_tag(name:\"summary\", value:\"The remote host is missing updates announced in\nadvisory GLSA 201209-25.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-gentoo.inc\");\ninclude(\"revisions-lib.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-player\", unaffected: make_list(), vulnerable: make_list(\"le 2.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-workstation\", unaffected: make_list(), vulnerable: make_list(\"le 6.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-server\", unaffected: make_list(), vulnerable: make_list(\"le 1.0.9.156507\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:13:17", "bulletinFamily": "scanner", "description": "A VMware product (Player, Workstation, or Movie Decoder) detected on the remote host has one or more of the following vulnerabilities :\n\n - The VMnc media codec has multiple heap overflow vulnerabilities. A remote attacker could exploit these issues by tricking a user into requesting a malicious web page or opening a malicious file.\n (CVE-2009-1564, CVE-2009-1565)\n\n - A flaw in the 3rd party libpng library could allow an attacker to read sensitive portions of memory.\n (CVE-2009-2042)\n\n - A flaw in vmware-authd could lead to a denial of service service on Windows-based hosts. (CVE-2009-3707)\n\n - A format string vulnerability exists in the VMware Remote Console Plug-in. A remote attacker could exploit this by tricking a user into requesting a malicious web page, resulting in arbitrary code execution.\n (CVE-2009-3732)\n\n - A flaw in the virtual networking stack could result in an information leak, causing memory from a guest VM to be sent to host's physical network. (CVE-2010-1138)\n\n - A vulnerability in the USB service allows a local attacker to elevate privileges by placing a malicious file in a certain location. This vulnerability only affects Workstation and Player installed on Windows.\n (CVE-2010-1140)\n\n - A flaw in the way VMware libraries are referenced could allow a remote attacker to execute arbitrary code in a guest Windows VM by tricking a user into requesting a malicious file. (CVE-2010-1141)\n\n - A flaw in the way VMware executables are loaded could allow a malicious user to execute arbitrary code in a guest Windows VM by planting a malicious file in a a certain location. (CVE-2010-1142)", "modified": "2018-11-15T00:00:00", "id": "VMWARE_MULTIPLE_VMSA_2010_0007.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=45541", "published": "2010-04-15T00:00:00", "title": "VMware Products Multiple Vulnerabilities (VMSA-2010-0007)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(45541);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\n \"CVE-2009-1564\",\n \"CVE-2009-1565\",\n \"CVE-2009-2042\",\n \"CVE-2009-3707\",\n \"CVE-2009-3732\",\n \"CVE-2010-1138\",\n \"CVE-2010-1140\",\n \"CVE-2010-1141\",\n \"CVE-2010-1142\"\n );\n script_bugtraq_id(39345, 39363, 39364, 39392, 39394, 39395, 39396, 39397);\n script_xref(name:\"VMSA\", value:\"2010-0007\");\n script_xref(name:\"IAVA\", value:\"2010-A-0066\");\n script_xref(name:\"Secunia\", value:\"36712\");\n script_xref(name:\"Secunia\", value:\"39206\");\n\n script_name(english:\"VMware Products Multiple Vulnerabilities (VMSA-2010-0007)\");\n script_summary(english:\"Checks vulnerable versions of VMware products\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a virtualization application affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"A VMware product (Player, Workstation, or Movie Decoder) detected on\nthe remote host has one or more of the following vulnerabilities :\n\n - The VMnc media codec has multiple heap overflow\n vulnerabilities. A remote attacker could exploit these\n issues by tricking a user into requesting a malicious\n web page or opening a malicious file.\n (CVE-2009-1564, CVE-2009-1565)\n\n - A flaw in the 3rd party libpng library could allow an\n attacker to read sensitive portions of memory.\n (CVE-2009-2042)\n\n - A flaw in vmware-authd could lead to a denial of service\n service on Windows-based hosts. (CVE-2009-3707)\n\n - A format string vulnerability exists in the VMware\n Remote\n Console Plug-in. A remote attacker could exploit this\n by tricking a user into requesting a malicious web\n page, resulting in arbitrary code execution.\n (CVE-2009-3732)\n\n - A flaw in the virtual networking stack could result in\n an information leak, causing memory from a guest VM to\n be sent to host's physical network. (CVE-2010-1138)\n\n - A vulnerability in the USB service allows a local\n attacker to elevate privileges by placing a malicious\n file in a certain location. This vulnerability only\n affects Workstation and Player installed on Windows.\n (CVE-2010-1140)\n\n - A flaw in the way VMware libraries are referenced could\n allow a remote attacker to execute arbitrary code in a\n guest Windows VM by tricking a user into requesting a\n malicious file. (CVE-2010-1141)\n\n - A flaw in the way VMware executables are loaded could\n allow a malicious user to execute arbitrary code in a\n guest Windows VM by planting a malicious file in a\n a certain location. (CVE-2010-1142)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2009-36/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2009-37/\");\n # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=866\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8db51821\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.acrossecurity.com/aspr/ASPR-2010-04-12-1-PUB.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.acrossecurity.com/aspr/ASPR-2010-04-12-2-PUB.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"http://web.archive.org/web/20160305233340/http://dsecrg.com/pages/vul/show.php?id=153\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2010/Apr/76\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2010-0007.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to :\n\n - VMware Workstation 6.5.4 / 7.0.1 or later.\n - VMware Player 2.5.4 / 3.0.1 or later.\n - VMware Movie Decoder (standalone) 6.5.4 or later.\n - VMware Remote Console Plug-in latest version\n (refer to the advisory for instructions)\n\nIn addition to patching, VMware Tools must be updated on all guest VMs\nin order to completely mitigate certain vulnerabilities. Refer to the\nVMware advisory for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(134, 200);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vmware_player\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:vmware:vmware_workstation\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"vmware_workstation_detect.nasl\", \"vmware_player_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"audit.inc\");\n\nport = kb_smb_transport();\nreport = \"\";\nvuln = NULL;\n\ncommonfiles = hotfix_get_commonfilesdir();\nif (!commonfiles) audit(AUDIT_PATH_NOT_DETERMINED, 'Common Files');\n\n# Check if VMware Remote Console Plug-in / Movie Decoder are installed\nlist = get_kb_list(\"SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName\");\n\nvmrc_installed = FALSE;\ndecoder_installed = FALSE;\nforeach name (list)\n{\n if (name == 'VMware Remote Console Plug-in')\n vmrc_installed = TRUE;\n\n if (name == 'VMware Movie Decoder')\n decoder_installed = TRUE;\n}\n\n# Check for VMware Workstation\nversion = get_kb_item(\"VMware/Workstation/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n\n if (( int(v[0]) < 6 ) ||\n ( int(v[0]) == 6 && int(v[1]) < 5) ||\n ( int(v[0]) == 6 && int(v[1]) == 5 && int(v[2]) < 4)\n )\n {\n vuln = TRUE;\n\n report =\n '\\n Product : VMware Workstation'+\n '\\n Installed version : '+version+\n '\\n Fixed version : 6.5.4\\n';\n }\n else if (int(v[0]) == 7 && int(v[1]) == 0 && int(v[2]) < 1)\n {\n vuln = TRUE;\n\n report =\n '\\n Product : VMware Workstation'+\n '\\n Installed version : '+version+\n '\\n Fixed version : 7.0.1\\n';\n }\n else if (isnull(vuln)) vuln = FALSE;\n}\nelse if (decoder_installed)\n{\n # If Workstation is not installed, check if the standalone Movie Decoder is\n # present and vulnerable\n if (!is_accessible_share()) exit(1, \"is_accessible_share() failed.\");\n\n if (hotfix_is_vulnerable(file:\"vmnc.dll\", version:\"6.5.4\", dir:\"\\system32\"))\n {\n vuln = TRUE;\n hf_report = split(hotfix_get_report(), sep:'\\n', keep:FALSE);\n report = '\\n Product : VMware Movie Decoder'+\n '\\n ' + hf_report[1]+\n '\\n ' + hf_report[2]+'\\n';\n }\n\n hotfix_check_fversion_end();\n}\n\n# Check for VMware Player\nversion = get_kb_item(\"VMware/Player/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n if (( int(v[0]) < 2 ) ||\n ( int(v[0]) == 2 && int(v[1]) < 5) ||\n ( int(v[0]) == 2 && int(v[1]) == 5 && int(v[2]) < 4)\n )\n {\n vuln = TRUE;\n report +=\n '\\n Product : VMware Player'+\n '\\n Installed version : '+version+\n '\\n Fixed version : 2.5.4\\n';\n }\n else if (int(v[0]) == 3 && int(v[1]) == 0 && int(v[2]) < 1)\n {\n vuln = TRUE;\n report +=\n '\\n Product : VMware Player'+\n '\\n Installed version : '+version+\n '\\n Fixed version : 3.0.1\\n';\n }\n else if (isnull(vuln)) vuln = FALSE;\n}\n\n# Check VMware Remote Console Plug-in\nif (vmrc_installed)\n{\n name = kb_smb_name();\n port = kb_smb_transport();\n login = kb_smb_login();\n pass = kb_smb_password();\n domain = kb_smb_domain();\n\n # Didn't find install location in the registry anywhere, but it appears to\n # always be installed in the common files dir\n path = commonfiles+\"\\VMware\\VMware Remote Console Plug-in\";\n share = ereg_replace(pattern:'^([A-Za-z]):.*', replace:\"\\1$\", string:path);\n exe = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\\vmware-vmrc.exe\", string:path);\n\n if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n exit(1, \"Can't connect to \"+share+\" share.\");\n }\n\n fh = CreateFile(\n file:exe,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n\n # Grab the version number if the file was opened successfully. Otherwise,\n # display a debug message but don't bail out\n if (fh)\n {\n ver = GetProductVersion(handle:fh);\n CloseFile(handle:fh);\n NetUseDel();\n }\n else\n {\n NetUseDel();\n exit(1, \"Error opening '\"+path+\"'.\");\n }\n\n # According to the advisory this is the only version that's affected,\n # but it doesn't mention what the latest/fixed version is\n if (ver && ver == 'e.x.p build-158248')\n {\n report +=\n '\\n Product : VMware Remote Console Plug-in'+\n '\\n Installed version : '+ver+'\\n';\n }\n else if (isnull(vuln)) vuln = FALSE;\n}\n\nif (isnull(vuln)) exit(0, \"No VMware products were detected on this host.\");\nif (!vuln) exit(0, \"The host is not affected.\");\n\nif (report_verbosity > 0)\n security_hole(port:port, extra:report);\nelse\n security_hole();\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:15:24", "bulletinFamily": "scanner", "description": "a. Windows-based VMware Tools Unsafe Library Loading vulnerability\n\n A vulnerability in the way VMware libraries are referenced allows for arbitrary code execution in the context of the logged on user.\n This vulnerability is present only on Windows Guest Operating Systems.\n\n In order for an attacker to exploit the vulnerability, the attacker would need to lure the user that is logged on a Windows Guest Operating System to click on the attacker's file on a network share. This file could be in any file format. The attacker will need to have the ability to host their malicious files on a network share.\n\n VMware would like to thank Jure Skofic and Mitja Kolsek of ACROS Security (http://www.acrossecurity.com) for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1141 to this issue.\n\n Steps needed to remediate this vulnerability :\n\n Guest systems on VMware Workstation, Player, ACE, Server, Fusion\n - Install the remediated version of Workstation, Player, ACE, Server and Fusion.\n - Upgrade tools in the virtual machine (virtual machine users will be prompted to upgrade).\n\n Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5\n - Install the relevant patches (see below for patch identifiers)\n - Manually upgrade tools in the virtual machine (virtual machine users will not be prompted to upgrade). Note the VI Client will not show the VMware tools is out of date in the summary tab.\n Please see http://tinyurl.com/27mpjo page 80 for details.\n\nb. Windows-based VMware Tools Arbitrary Code Execution vulnerability\n\n A vulnerability in the way VMware executables are loaded allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems.\n\n In order for an attacker to exploit the vulnerability, the attacker would need to be able to plant their malicious executable in a certain location on the Virtual Machine of the user. On most recent versions of Windows (XP, Vista) the attacker would need to have administrator privileges to plant the malicious executable in the right location.\n\n Steps needed to remediate this vulnerability: See section 3.a.\n\n VMware would like to thank Mitja Kolsek of ACROS Security (http://www.acrossecurity.com) for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1142 to this issue.\n\n Refer to the previous table in section 3.a for what action remediates the vulnerability (column 4) if a solution is available. See above for remediation details.\n\nc. Windows-based VMware Workstation and Player host privilege escalation\n\n A vulnerability in the USB service allows for a privilege escalation. A local attacker on the host of a Windows-based Operating System where VMware Workstation or VMware Player is installed could plant a malicious executable on the host and elevate their privileges.\n\n In order for an attacker to exploit the vulnerability, the attacker would need to be able to plant their malicious executable in a certain location on the host machine. On most recent versions of Windows (XP, Vista) the attacker would need to have administrator privileges to plant the malicious executable in the right location.\n\n VMware would like to thank Thierry Zoller for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1140 to this issue.\n\nd. Third-party library update for libpng to version 1.2.37\n\n The libpng libraries through 1.2.35 contain an uninitialized- memory-read bug that may have security implications.\n Specifically, 1-bit (2-color) interlaced images whose widths are not divisible by 8 may result in several uninitialized bits at the end of certain rows in certain interlace passes being returned to the user. An application that failed to mask these out-of-bounds pixels might display or process them, albeit presumably with benign results in most cases.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2042 to this issue.\n\ne. VMware VMnc Codec heap overflow vulnerabilities\n\n The VMware movie decoder contains the VMnc media codec that is required to play back movies recorded with VMware Workstation, VMware Player and VMware ACE, in any compatible media player. The movie decoder is installed as part of VMware Workstation, VMware Player and VMware ACE, or can be downloaded as a stand alone package.\n\n Vulnerabilities in the decoder allow for execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec.\n\n For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file on a system that has the vulnerable version of the VMnc codec installed.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-1564 and CVE-2009-1565 to these issues.\n\n VMware would like to thank iDefense, Sebastien Renaud of VUPEN Vulnerability Research Team (http://www.vupen.com) and Alin Rad Pop of Secunia Research for reporting these issues to us.\n\n To remediate the above issues either install the stand alone movie decoder or update your product using the table below.\n\nf. VMware Remote Console format string vulnerability\n\n VMware Remote Console (VMrc) contains a format string vulnerability.\n Exploitation of this issue may lead to arbitrary code execution on the system where VMrc is installed.\n\n For an attack to be successful, an attacker would need to trick the VMrc user into opening a malicious Web page or following a malicious URL. Code execution would be at the privilege level of the user.\n\n VMrc is present on a system if the VMrc browser plug-in has been installed. This plug-in is required when using the console feature in WebAccess. Installation of the plug-in follows after visiting the console tab in WebAccess and choosing 'Install plug-in'. The plug- in can only be installed on Internet Explorer and Firefox.\n\n Under the following two conditions your version of VMrc is likely to be affected :\n\n - the VMrc plug-in was obtained from vCenter 4.0 or from ESX 4.0 without patch ESX400-200911223-UG and\n - VMrc is installed on a Windows-based system\n\n The following steps allow you to determine if you have an affected version of VMrc installed :\n\n - Locate the VMrc executable vmware-vmrc.exe on your Windows-based system\n - Right click and go to Properties\n - Go to the tab 'Versions'\n - Click 'File Version' in the 'Item Name' window\n - If the 'Value' window shows 'e.x.p build-158248', the version of VMrc is affected\n\n Remediation of this issue on Windows-based systems requires the following steps (Linux-based systems are not affected) :\n\n - Uninstall affected versions of VMrc from the systems where the VMrc plug-in has been installed (use the Windows Add/Remove Programs interface)\n - Install vCenter 4.0 Update 1 or install the ESX 4.0 patch ESX400-200911223-UG\n - Login into vCenter 4.0 Update 1 or ESX 4.0 with patch ESX400-200911223-UG using WebAccess on the system where the VMrc needs to be re-installed\n - Re-install VMrc by going to the console tab in WebAccess. The Console tab is selectable after selecting a virtual machine.\n\n Note: the VMrc plug-in for Firefox on Windows-based operating systems is no longer compatible after the above remediation steps.\n Users are advised to use the Internet Explorer VMrc plug-in.\n\n VMware would like to thank Alexey Sintsov from Digital Security Research Group for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3732 to this issue.\n\n\ng. Windows-based VMware authd remote denial of service\n\n A vulnerability in vmware-authd could cause a denial of service condition on Windows-based hosts. The denial of service is limited to a crash of authd.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-3707 to this issue.\n\nh. Potential information leak via hosted networking stack\n\n A vulnerability in the virtual networking stack of VMware hosted products could allow host information disclosure.\n\n A guest operating system could send memory from the host vmware-vmx process to the virtual network adapter and potentially to the host's physical Ethernet wire.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2010-1138 to this issue.\n\n VMware would like to thank Johann MacDonagh for reporting this issue to us.\n\ni. Linux-based vmrun format string vulnerability\n\n A format string vulnerability in vmrun could allow arbitrary code execution.\n\n If a vmrun command is issued and processes are listed, code could be executed in the context of the user listing the processes.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2010-1139 to this issue.\n\n VMware would like to thank Thomas Toth-Steiner for reporting this issue to us.", "modified": "2018-08-06T00:00:00", "id": "VMWARE_VMSA-2010-0007.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=56246", "published": "2011-09-21T00:00:00", "title": "VMSA-2010-0007 : VMware hosted products, vCenter Server and ESX patches resolve multiple security issues", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2010-0007. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(56246);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\n\n script_cve_id(\"CVE-2009-1564\", \"CVE-2009-1565\", \"CVE-2009-2042\", \"CVE-2009-3707\", \"CVE-2009-3732\", \"CVE-2009-4811\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1140\", \"CVE-2010-1141\", \"CVE-2010-1142\");\n script_bugtraq_id(35233, 36630, 39395, 39396);\n script_xref(name:\"VMSA\", value:\"2010-0007\");\n script_xref(name:\"IAVA\", value:\"2010-A-0066\");\n\n script_name(english:\"VMSA-2010-0007 : VMware hosted products, vCenter Server and ESX patches resolve multiple security issues\");\n script_summary(english:\"Checks esxupdate output for the patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote VMware ESX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"a. Windows-based VMware Tools Unsafe Library Loading vulnerability\n\n A vulnerability in the way VMware libraries are referenced allows\n for arbitrary code execution in the context of the logged on user.\n This vulnerability is present only on Windows Guest Operating\n Systems.\n\n In order for an attacker to exploit the vulnerability, the attacker\n would need to lure the user that is logged on a Windows Guest\n Operating System to click on the attacker's file on a network\n share. This file could be in any file format. The attacker will\n need to have the ability to host their malicious files on a\n network share.\n\n VMware would like to thank Jure Skofic and Mitja Kolsek of ACROS\n Security (http://www.acrossecurity.com) for reporting this issue\n to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2010-1141 to this issue.\n\n Steps needed to remediate this vulnerability :\n\n Guest systems on VMware Workstation, Player, ACE, Server, Fusion\n - Install the remediated version of Workstation, Player, ACE,\n Server and Fusion.\n - Upgrade tools in the virtual machine (virtual machine users\n will be prompted to upgrade).\n\n Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5\n - Install the relevant patches (see below for patch identifiers)\n - Manually upgrade tools in the virtual machine (virtual machine\n users will not be prompted to upgrade). Note the VI Client will\n not show the VMware tools is out of date in the summary tab.\n Please see http://tinyurl.com/27mpjo page 80 for details.\n\nb. Windows-based VMware Tools Arbitrary Code Execution vulnerability\n\n A vulnerability in the way VMware executables are loaded allows for\n arbitrary code execution in the context of the logged on user. This\n vulnerability is present only on Windows Guest Operating Systems.\n\n In order for an attacker to exploit the vulnerability, the attacker\n would need to be able to plant their malicious executable in a\n certain location on the Virtual Machine of the user. On most\n recent versions of Windows (XP, Vista) the attacker would need to\n have administrator privileges to plant the malicious executable in\n the right location.\n\n Steps needed to remediate this vulnerability: See section 3.a.\n\n VMware would like to thank Mitja Kolsek of ACROS Security\n (http://www.acrossecurity.com) for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2010-1142 to this issue.\n\n Refer to the previous table in section 3.a for what action\n remediates the vulnerability (column 4) if a solution is\n available. See above for remediation details.\n\nc. Windows-based VMware Workstation and Player host privilege\n escalation\n\n A vulnerability in the USB service allows for a privilege\n escalation. A local attacker on the host of a Windows-based\n Operating System where VMware Workstation or VMware Player\n is installed could plant a malicious executable on the host and\n elevate their privileges.\n\n In order for an attacker to exploit the vulnerability, the attacker\n would need to be able to plant their malicious executable in a\n certain location on the host machine. On most recent versions of\n Windows (XP, Vista) the attacker would need to have administrator\n privileges to plant the malicious executable in the right location.\n\n VMware would like to thank Thierry Zoller for reporting this issue\n to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2010-1140 to this issue.\n\nd. Third-party library update for libpng to version 1.2.37\n\n The libpng libraries through 1.2.35 contain an uninitialized-\n memory-read bug that may have security implications.\n Specifically, 1-bit (2-color) interlaced images whose widths are\n not divisible by 8 may result in several uninitialized bits at the\n end of certain rows in certain interlace passes being returned to\n the user. An application that failed to mask these out-of-bounds\n pixels might display or process them, albeit presumably with benign\n results in most cases.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\n has assigned the name CVE-2009-2042 to this issue.\n\ne. VMware VMnc Codec heap overflow vulnerabilities\n\n The VMware movie decoder contains the VMnc media codec that is\n required to play back movies recorded with VMware Workstation,\n VMware Player and VMware ACE, in any compatible media player. The\n movie decoder is installed as part of VMware Workstation, VMware\n Player and VMware ACE, or can be downloaded as a stand alone\n package.\n\n Vulnerabilities in the decoder allow for execution of arbitrary\n code with the privileges of the user running an application\n utilizing the vulnerable codec.\n\n For an attack to be successful the user must be tricked into\n visiting a malicious web page or opening a malicious video file on\n a system that has the vulnerable version of the VMnc codec installed.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the names CVE-2009-1564 and CVE-2009-1565 to these\n issues.\n\n VMware would like to thank iDefense, Sebastien Renaud of VUPEN\n Vulnerability Research Team (http://www.vupen.com) and Alin Rad Pop\n of Secunia Research for reporting these issues to us.\n\n To remediate the above issues either install the stand alone movie\n decoder or update your product using the table below.\n\nf. VMware Remote Console format string vulnerability\n\n VMware Remote Console (VMrc) contains a format string vulnerability.\n Exploitation of this issue may lead to arbitrary code execution on\n the system where VMrc is installed.\n\n For an attack to be successful, an attacker would need to trick the\n VMrc user into opening a malicious Web page or following a malicious\n URL. Code execution would be at the privilege level of the user.\n\n VMrc is present on a system if the VMrc browser plug-in has been\n installed. This plug-in is required when using the console feature in\n WebAccess. Installation of the plug-in follows after visiting the\n console tab in WebAccess and choosing 'Install plug-in'. The plug-\n in can only be installed on Internet Explorer and Firefox.\n\n Under the following two conditions your version of VMrc is likely\n to be affected :\n\n - the VMrc plug-in was obtained from vCenter 4.0 or from ESX 4.0\n without patch ESX400-200911223-UG and\n - VMrc is installed on a Windows-based system\n\n The following steps allow you to determine if you have an affected\n version of VMrc installed :\n\n - Locate the VMrc executable vmware-vmrc.exe on your Windows-based\n system\n - Right click and go to Properties\n - Go to the tab 'Versions'\n - Click 'File Version' in the 'Item Name' window\n - If the 'Value' window shows 'e.x.p build-158248', the version of\n VMrc is affected\n\n Remediation of this issue on Windows-based systems requires the\n following steps (Linux-based systems are not affected) :\n\n - Uninstall affected versions of VMrc from the systems where the\n VMrc plug-in has been installed (use the Windows Add/Remove\n Programs interface)\n - Install vCenter 4.0 Update 1 or install the ESX 4.0 patch\n ESX400-200911223-UG\n - Login into vCenter 4.0 Update 1 or ESX 4.0 with patch\n ESX400-200911223-UG using WebAccess on the system where the VMrc\n needs to be re-installed\n - Re-install VMrc by going to the console tab in WebAccess. The\n Console tab is selectable after selecting a virtual machine.\n\n Note: the VMrc plug-in for Firefox on Windows-based operating\n systems is no longer compatible after the above remediation steps.\n Users are advised to use the Internet Explorer VMrc plug-in.\n\n VMware would like to thank Alexey Sintsov from Digital Security\n Research Group for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2009-3732 to this issue.\n\n\ng. Windows-based VMware authd remote denial of service\n\n A vulnerability in vmware-authd could cause a denial of service\n condition on Windows-based hosts. The denial of service is limited\n to a crash of authd.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\n has assigned the name CVE-2009-3707 to this issue.\n\nh. Potential information leak via hosted networking stack\n\n A vulnerability in the virtual networking stack of VMware hosted\n products could allow host information disclosure.\n\n A guest operating system could send memory from the host vmware-vmx\n process to the virtual network adapter and potentially to the\n host's physical Ethernet wire.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\n has assigned the name CVE-2010-1138 to this issue.\n\n VMware would like to thank Johann MacDonagh for reporting this\n issue to us.\n\ni. Linux-based vmrun format string vulnerability\n\n A format string vulnerability in vmrun could allow arbitrary code\n execution.\n\n If a vmrun command is issued and processes are listed, code could\n be executed in the context of the user listing the processes.\n\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\n has assigned the name CVE-2010-1139 to this issue.\n\n VMware would like to thank Thomas Toth-Steiner for reporting this\n issue to us.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2010/000091.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(134, 200);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:2.5.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:3.0.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/09/21\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2010-04-09\");\nflag = 0;\n\n\nif (esx_check(ver:\"ESX 2.5.5\", patch:\"15\")) flag++;\n\nif (esx_check(ver:\"ESX 3.0.3\", patch:\"ESX303-201002203-UG\")) flag++;\n\nif (\n esx_check(\n ver : \"ESX 4.0\",\n patch : \"ESX400-200911223-UG\",\n patch_updates : make_list(\"ESX400-Update01a\", \"ESX400-Update02\", \"ESX400-Update03\", \"ESX400-Update04\")\n )\n) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:17:43", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201209-25 (VMware Player, Server, Workstation: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in VMware Player, Server, and Workstation. Please review the CVE identifiers referenced below for details.\n Impact :\n\n Local users may be able to gain escalated privileges, cause a Denial of Service, or gain sensitive information.\n A remote attacker could entice a user to open a specially crafted file, possibly resulting in the remote execution of arbitrary code, or a Denial of Service. Remote attackers also may be able to spoof DNS traffic, read arbitrary files, or inject arbitrary web script to the VMware Server Console.\n Furthermore, guest OS users may be able to execute arbitrary code on the host OS, gain escalated privileges on the guest OS, or cause a Denial of Service (crash the host OS).\n Workaround :\n\n There is no known workaround at this time.", "modified": "2019-02-07T00:00:00", "id": "GENTOO_GLSA-201209-25.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=62383", "published": "2012-10-01T00:00:00", "title": "GLSA-201209-25 : VMware Player, Server, Workstation: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201209-25.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(62383);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2019/02/07 9:34:55\");\n\n script_cve_id(\"CVE-2007-5269\", \"CVE-2007-5503\", \"CVE-2007-5671\", \"CVE-2008-0967\", \"CVE-2008-1340\", \"CVE-2008-1361\", \"CVE-2008-1362\", \"CVE-2008-1363\", \"CVE-2008-1364\", \"CVE-2008-1392\", \"CVE-2008-1447\", \"CVE-2008-1806\", \"CVE-2008-1807\", \"CVE-2008-1808\", \"CVE-2008-2098\", \"CVE-2008-2100\", \"CVE-2008-2101\", \"CVE-2008-4915\", \"CVE-2008-4916\", \"CVE-2008-4917\", \"CVE-2009-0040\", \"CVE-2009-0909\", \"CVE-2009-0910\", \"CVE-2009-1244\", \"CVE-2009-2267\", \"CVE-2009-3707\", \"CVE-2009-3732\", \"CVE-2009-3733\", \"CVE-2009-4811\", \"CVE-2010-1137\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1140\", \"CVE-2010-1141\", \"CVE-2010-1142\", \"CVE-2010-1143\", \"CVE-2011-3868\");\n script_bugtraq_id(25956, 26650, 28276, 28289, 29444, 29552, 29557, 29637, 29639, 29640, 29641, 30131, 30937, 32168, 32597, 33827, 33990, 34373, 34471, 36630, 36841, 36842, 39104, 39392, 39394, 39395, 39396, 39397, 39407, 39949, 49942);\n script_xref(name:\"GLSA\", value:\"201209-25\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"GLSA-201209-25 : VMware Player, Server, Workstation: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201209-25\n(VMware Player, Server, Workstation: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in VMware Player, Server,\n and Workstation. Please review the CVE identifiers referenced below for\n details.\n \nImpact :\n\n Local users may be able to gain escalated privileges, cause a Denial of\n Service, or gain sensitive information.\n A remote attacker could entice a user to open a specially crafted file,\n possibly resulting in the remote execution of arbitrary code, or a Denial\n of Service. Remote attackers also may be able to spoof DNS traffic, read\n arbitrary files, or inject arbitrary web script to the VMware Server\n Console.\n Furthermore, guest OS users may be able to execute arbitrary code on the\n host OS, gain escalated privileges on the guest OS, or cause a Denial of\n Service (crash the host OS).\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201209-25\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Gentoo discontinued support for VMware Player. We recommend that users\n unmerge VMware Player:\n # emerge --unmerge 'app-emulation/vmware-player'\n NOTE: Users could upgrade to\n “>=app-emulation/vmware-player-3.1.5”, however these packages are\n not currently stable.\n Gentoo discontinued support for VMware Workstation. We recommend that\n users unmerge VMware Workstation:\n # emerge --unmerge 'app-emulation/vmware-workstation'\n NOTE: Users could upgrade to\n “>=app-emulation/vmware-workstation-7.1.5”, however these packages\n are not currently stable.\n Gentoo discontinued support for VMware Server. We recommend that users\n unmerge VMware Server:\n # emerge --unmerge 'app-emulation/vmware-server'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-757\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Vmware Server File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(16, 20, 22, 94, 119, 134, 189, 200, 264, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vmware-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vmware-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vmware-workstation\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/10/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-emulation/vmware-player\", unaffected:make_list(), vulnerable:make_list(\"le 2.5.5.328052\"))) flag++;\nif (qpkg_check(package:\"app-emulation/vmware-workstation\", unaffected:make_list(), vulnerable:make_list(\"le 6.5.5.328052\"))) flag++;\nif (qpkg_check(package:\"app-emulation/vmware-server\", unaffected:make_list(), vulnerable:make_list(\"le 1.0.9.156507\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"VMware Player / Server / Workstation\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:36", "bulletinFamily": "software", "description": "Code execution, privilege escalation, buffer overflow, format string vulnerabilities, DoS, information leaks.", "modified": "2010-04-19T00:00:00", "published": "2010-04-19T00:00:00", "id": "SECURITYVULNS:VULN:10754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10754", "title": "VMWare applications multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2010-0007\r\nSynopsis: VMware hosted products, vCenter Server and ESX\r\n patches resolve multiple security issues\r\nIssue date: 2010-04-09\r\nUpdated on: 2010-04-09 (initial release of advisory)\r\nCVE numbers: CVE-2010-1142 CVE-2010-1140 CVE-2009-2042\r\n CVE-2009-1564 CVE-2009-1565 CVE-2009-3732\r\n CVE-2009-3707 CVE-2010-1138 CVE-2010-1139\r\n CVE-2010-1141\r\n- -------------------------------------------------------------------------\r\n\r\n1. Summary\r\n\r\n VMware hosted products, vCenter Server and ESX patches resolve\r\n multiple security issues.\r\n\r\n2. Relevant releases\r\n\r\n VMware Workstation 7.0,\r\n VMware Workstation 6.5.3 and earlier,\r\n VMware Player 3.0,\r\n VMware Player 2.5.3 and earlier,\r\n VMware ACE 2.6,\r\n VMware ACE 2.5.3 and earlier,\r\n VMware Server 2.0.2 and earlier,\r\n VMware Fusion 3.0,\r\n VMware Fusion 2.0.6 and earlier,\r\n VMware VIX API for Windows 1.6.x,\r\n\r\n VMware ESXi 4.0 before patch ESXi400-201002402-BG\r\n\r\n VMware ESXi 3.5 before patch ESXe350-200912401-T-BG\r\n\r\n VMware ESX 4.0 without patches ESX400-201002401-BG,\r\n ESX400-200911223-UG\r\n\r\n VMware ESX 3.5 without patch ESX350-200912401-BG\r\n\r\n VMware ESX 3.0.3 without patch ESX303-201002203-UG\r\n\r\n VMware ESX 2.5.5 without Upgrade Patch 15.\r\n\r\n Notes:\r\n Effective May 2010, VMware's patch and update release program during\r\n Extended Support will be continued with the condition that all\r\n subsequent patch and update releases will be based on the latest\r\n baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1,\r\n ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section\r\n "End of Product Availability FAQs" at\r\n http://www.vmware.com/support/policies/lifecycle/vi/faq.html for\r\n details.\r\n\r\n Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan\r\n to upgrade to at least ESX 3.0.3 and preferably to the newest\r\n release available.\r\n\r\n Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan\r\n to upgrade to at least ESX 3.5 and preferably to the newest release\r\n available.\r\n\r\n End of General Support for VMware Workstation 6.x is 2011-04-27,\r\n users should plan to upgrade to the newest release available.\r\n\r\n End of General Support for VMware Server 2.0 is 2011-06-30, users\r\n should plan to upgrade to the newest release of either ESXi or\r\n VMware Player.\r\n\r\n Extended support for Virtual Center 2.0.2 is 2011-12-10, users\r\n should plan to upgrade to the newest release of vCenter Server.\r\n\r\n3. Problem Description\r\n\r\n a. Windows-based VMware Tools Unsafe Library Loading vulnerability\r\n\r\n A vulnerability in the way VMware libraries are referenced allows\r\n for arbitrary code execution in the context of the logged on user.\r\n This vulnerability is present only on Windows Guest Operating\r\n Systems.\r\n\r\n In order for an attacker to exploit the vulnerability, the attacker\r\n would need to lure the user that is logged on a Windows Guest\r\n Operating System to click on the attacker's file on a network\r\n share. This file could be in any file format. The attacker will\r\n need to have the ability to host their malicious files on a\r\n network share.\r\n\r\n VMware would like to thank Jure Skofic and Mitja Kolsek of ACROS\r\n Security (http://www.acrossecurity.com) for reporting this issue\r\n to us.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2010-1141 to this issue.\r\n\r\n Steps needed to remediate this vulnerability:\r\n\r\n Guest systems on VMware Workstation, Player, ACE, Server, Fusion\r\n - Install the remediated version of Workstation, Player, ACE,\r\n Server and Fusion.\r\n - Upgrade tools in the virtual machine (virtual machine users\r\n will be prompted to upgrade).\r\n\r\n Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5\r\n - Install the relevant patches (see below for patch identifiers)\r\n - Manually upgrade tools in the virtual machine (virtual machine\r\n users will not be prompted to upgrade). Note the VI Client will\r\n not show the VMware tools is out of date in the summary tab.\r\n Please see http://tinyurl.com/27mpjo page 80 for details.\r\n\r\n The following table lists what action remediates the vulnerability\r\n (column 4) if a solution is available. See above for remediation\r\n details.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 7.x any not affected\r\n Workstation 6.5.x any 6.5.4 build 246459 or later\r\n\r\n Player 3.x any not affected\r\n Player 2.5.x any 2.5.4 build 246459 or later\r\n\r\n ACE 2.6.x Windows not affected\r\n ACE 2.5.x Windows 2.5.4 build 246459 or later\r\n\r\n Server 2.x any 2.0.2 build 203138 or later\r\n\r\n Fusion 3.x Mac OS/X not affected\r\n Fusion 2.x Mac OS/X 2.0.6 build 246742 or later\r\n\r\n ESXi 4.0 ESXi ESXi400-201002402-BG\r\n ESXi 3.5 ESXi ESXe350-200912401-T-BG or later\r\n\r\n ESX 4.0 ESX ESX400-201002401-BG\r\n ESX 3.5 ESX ESX350-200912401-BG\r\n ESX 3.0.3 ESX ESX303-201002203-UG\r\n ESX 2.5.5 ESX Upgrade Patch 15\r\n\r\n b. Windows-based VMware Tools Arbitrary Code Execution vulnerability\r\n\r\n A vulnerability in the way VMware executables are loaded allows for\r\n arbitrary code execution in the context of the logged on user. This\r\n vulnerability is present only on Windows Guest Operating Systems.\r\n\r\n In order for an attacker to exploit the vulnerability, the attacker\r\n would need to be able to plant their malicious executable in a\r\n certain location on the Virtual Machine of the user. On most\r\n recent versions of Windows (XP, Vista) the attacker would need to\r\n have administrator privileges to plant the malicious executable in\r\n the right location.\r\n\r\n Steps needed to remediate this vulnerability: See section 3.a.\r\n\r\n VMware would like to thank Mitja Kolsek of ACROS Security\r\n (http://www.acrossecurity.com) for reporting this issue to us.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2010-1142 to this issue.\r\n\r\n Refer to the previous table in section 3.a for what action\r\n remediates the vulnerability (column 4) if a solution is\r\n available. See above for remediation details.\r\n\r\n c. Windows-based VMware Workstation and Player host privilege\r\n escalation\r\n\r\n A vulnerability in the USB service allows for a privilege\r\n escalation. A local attacker on the host of a Windows-based\r\n Operating System where VMware Workstation or VMware Player\r\n is installed could plant a malicious executable on the host and\r\n elevate their privileges.\r\n\r\n In order for an attacker to exploit the vulnerability, the attacker\r\n would need to be able to plant their malicious executable in a\r\n certain location on the host machine. On most recent versions of\r\n Windows (XP, Vista) the attacker would need to have administrator\r\n privileges to plant the malicious executable in the right location.\r\n\r\n VMware would like to thank Thierry Zoller for reporting this issue\r\n to us.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2010-1140 to this issue.\r\n\r\n The following table lists what action remediates the vulnerability\r\n (column 4) if a solution is available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 7.0 Windows 7.0.1 build 227600 or later\r\n Workstation 7.0 Linux not affected\r\n Workstation 6.5.x any not affected\r\n\r\n Player 3.0 Windows 3.0.1 build 227600 or later\r\n Player 3.0 Linux not affected\r\n Player 2.5.x any not affected\r\n\r\n Ace any any not affected\r\n\r\n Server 2.x any not affected\r\n\r\n Fusion any Mac OS/X not affected\r\n\r\n ESXi any ESXi not affected\r\n\r\n ESX any ESX not affected\r\n\r\n d. Third party library update for libpng to version 1.2.37\r\n\r\n The libpng libraries through 1.2.35 contain an uninitialized-\r\n memory-read bug that may have security implications.\r\n Specifically, 1-bit (2-color) interlaced images whose widths are\r\n not divisible by 8 may result in several uninitialized bits at the\r\n end of certain rows in certain interlace passes being returned to\r\n the user. An application that failed to mask these out-of-bounds\r\n pixels might display or process them, albeit presumably with benign\r\n results in most cases.\r\n\r\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\r\n has assigned the name CVE-2009-2042 to this issue.\r\n\r\n The following table lists what action remediates the vulnerability\r\n (column 4) if a solution is available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not applicable\r\n\r\n Workstation 7.0 any 7.0.1 build 227600 or later\r\n Workstation 6.5.x any 6.5.4 build 246459 or later\r\n\r\n Player 3.0 any 3.0.1 build 227600 or later\r\n Player 2.5.x any 2.5.4 build 246459 or later\r\n\r\n Ace 2.6 Windows 2.6.1 build 227600 or later\r\n Ace 2.5.x Windows 2.5.4 build 246459 or later\r\n\r\n Server 2.x any not being fixed at this time\r\n\r\n Fusion any any Mac OS/X not affected\r\n\r\n ESXi any ESXi not applicable\r\n\r\n ESX any ESX not applicable\r\n\r\n e. VMware VMnc Codec heap overflow vulnerabilities\r\n\r\n The VMware movie decoder contains the VMnc media codec that is\r\n required to play back movies recorded with VMware Workstation,\r\n VMware Player and VMware ACE, in any compatible media player. The\r\n movie decoder is installed as part of VMware Workstation, VMware\r\n Player and VMware ACE, or can be downloaded as a stand alone\r\n package.\r\n\r\n Vulnerabilities in the decoder allow for execution of arbitrary\r\n code with the privileges of the user running an application\r\n utilizing the vulnerable codec.\r\n\r\n For an attack to be successful the user must be tricked into\r\n visiting a malicious web page or opening a malicious video file on\r\n a system that has the vulnerable version of the VMnc codec installed.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the names CVE-2009-1564 and CVE-2009-1565 to these\r\n issues.\r\n\r\n VMware would like to thank iDefense, Sebastien Renaud of VUPEN\r\n Vulnerability Research Team (http://www.vupen.com) and Alin Rad Pop\r\n of Secunia Research for reporting these issues to us.\r\n\r\n To remediate the above issues either install the stand alone movie\r\n decoder or update your product using the table below.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Movie Decoder any Windows 6.5.4 Build 246459 or later\r\n\r\n Workstation 7.x any not affected\r\n Workstation 6.5.x Windows 6.5.4 build 246459 or later\r\n Workstation 6.5.x Linux not affected\r\n\r\n Player 3.x any not affected\r\n Player 2.5.x Windows 2.5.4 build 246459 or later\r\n Player 2.5.x Linux not affected\r\n\r\n ACE any any not affected\r\n\r\n Server 2.x Window not being addressed at this time\r\n Server 2.x Linux not affected\r\n\r\n Fusion any Mac OS/X not affected\r\n\r\n ESXi any ESXi not affected\r\n\r\n ESX any ESX not affected\r\n\r\nf. VMware Remote Console format string vulnerability\r\n\r\n VMware Remote Console (VMrc) contains a format string vulnerability.\r\n Exploitation of this issue may lead to arbitrary code execution on\r\n the system where VMrc is installed.\r\n\r\n For an attack to be successful, an attacker would need to trick the\r\n VMrc user into opening a malicious Web page or following a malicious\r\n URL. Code execution would be at the privilege level of the user.\r\n\r\n VMrc is present on a system if the VMrc browser plug-in has been\r\n installed. This plug-in is required when using the console feature in\r\n WebAccess. Installation of the plug-in follows after visiting the\r\n console tab in WebAccess and choosing "Install plug-in". The plug-\r\n in can only be installed on Internet Explorer and Firefox.\r\n\r\n Under the following two conditions your version of VMrc is likely\r\n to be affected:\r\n\r\n - the VMrc plug-in was obtained from vCenter 4.0 or from ESX 4.0\r\n without patch ESX400-200911223-UG and\r\n - VMrc is installed on a Windows-based system\r\n\r\n The following steps allow you to determine if you have an affected\r\n version of VMrc installed:\r\n\r\n - Locate the VMrc executable vmware-vmrc.exe on your Windows-based\r\n system\r\n - Right click and go to Properties\r\n - Go to the tab "Versions"\r\n - Click "File Version" in the "Item Name" window\r\n - If the "Value" window shows "e.x.p build-158248", the version of\r\n VMrc is affected\r\n\r\n Remediation of this issue on Windows-based systems requires the\r\n following steps (Linux-based systems are not affected):\r\n\r\n - Uninstall affected versions of VMrc from the systems where the\r\n VMrc plug-in has been installed (use the Windows Add/Remove\r\n Programs interface)\r\n - Install vCenter 4.0 Update 1 or install the ESX 4.0 patch\r\n ESX400-200911223-UG\r\n - Login into vCenter 4.0 Update 1 or ESX 4.0 with patch\r\n ESX400-200911223-UG using WebAccess on the system where the VMrc\r\n needs to be re-installed\r\n - Re-install VMrc by going to the console tab in WebAccess. The\r\n Console tab is selectable after selecting a virtual machine.\r\n\r\n Note: the VMrc plug-in for Firefox on Windows-based operating\r\n systems is no longer compatible after the above remediation steps.\r\n Users are advised to use the Internet Explorer VMrc plug-in.\r\n\r\n VMware would like to thank Alexey Sintsov from Digital Security\r\n Research Group for reporting this issue to us.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2009-3732 to this issue.\r\n\r\n\r\n g. Windows-based VMware authd remote denial of service\r\n\r\n A vulnerability in vmware-authd could cause a denial of service\r\n condition on Windows-based hosts. The denial of service is limited\r\n to a crash of authd.\r\n\r\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\r\n has assigned the name CVE-2009-3707 to this issue.\r\n\r\n The following table lists what action remediates the vulnerability\r\n (column 4) if a solution is available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 7.0 Windows 7.0.1 build 227600 or later\r\n Workstation 7.0 Linux not affected\r\n Workstation 6.5.x Windows 6.5.4 build 246459 or later\r\n Workstation 6.5.x Linux not affected\r\n\r\n Player 3.0 Windows 3.0.1 build 227600 or later\r\n Player 3.x Linux not affected\r\n Player 2.5.x Windows 2.5.4 build 246459 or later\r\n Player 2.5.x Linux not affected\r\n\r\n Ace 2.6 Windows 2.6.1 build 227600 or later\r\n Ace 2.5.x Windows 2.5.4 build 246459 or later\r\n\r\n Server 2.x Windows not being addressed at this time\r\n Server 2.x Linux not affected\r\n\r\n Fusion any Mac OS/X not affected\r\n\r\n ESXi any any not affected\r\n\r\n ESX any any not affected\r\n\r\n h. Potential information leak via hosted networking stack\r\n\r\n A vulnerability in the virtual networking stack of VMware hosted\r\n products could allow host information disclosure.\r\n\r\n A guest operating system could send memory from the host vmware-vmx\r\n process to the virtual network adapter and potentially to the\r\n host's physical Ethernet wire.\r\n\r\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\r\n has assigned the name CVE-2010-1138 to this issue.\r\n\r\n VMware would like to thank Johann MacDonagh for reporting this\r\n issue to us.\r\n\r\n The following table lists what action remediates the vulnerability\r\n (column 4) if a solution is available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 7.0 any 7.0.1 build 227600 or later\r\n Workstation 6.5.x Windows 6.5.4 build 246459 or later\r\n Workstation 6.5.x Linux not affected\r\n\r\n Player 3.0 any 3.0.1 build 227600 or later\r\n Player 2.5.x Windows 2.5.4 build 246459 or later\r\n Player 2.5.x Linux not affected\r\n\r\n Ace 2.6 Windows 2.6.1 build 227600 or later\r\n Ace 2.5.x Windows 2.5.4 build 246459 or later\r\n\r\n Server 2.x any not being fixed at this time\r\n\r\n Fusion 3.0 Mac OS/X 3.0.1 build 232708 or later\r\n Fusion 2.x Mac OS/X 2.0.7 build 246742 or later\r\n\r\n ESXi any any not affected\r\n\r\n ESX any any not affected\r\n\r\n i. Linux-based vmrun format string vulnerability\r\n\r\n A format string vulnerability in vmrun could allow arbitrary code\r\n execution.\r\n\r\n If a vmrun command is issued and processes are listed, code could\r\n be executed in the context of the user listing the processes.\r\n\r\n The Common Vulnerabilities and Exposures Project (cve.mitre.org)\r\n has assigned the name CVE-2010-1139 to this issue.\r\n\r\n VMware would like to thank Thomas Toth-Steiner for reporting this\r\n issue to us.\r\n\r\n The following table lists what action remediates the vulnerability\r\n (column 4) if a solution is available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n VIX API any Windows not affected\r\n VIX API 1.6.x Linux upgrade to VIX API 1.7 or later\r\n VIX API 1.6.x Linux64 upgrade to VIX API 1.7 or later\r\n\r\n Workstation 7.x any not affected\r\n Workstation 6.5.x Windows not affected\r\n Workstation 6.5.x Linux 6.5.4 build 246459 or later\r\n\r\n Player 3.x any not affected\r\n Player 2.5.x Windows not affected\r\n Player 2.5.x Linux 2.5.4 build 246459 or later\r\n\r\n Ace any Windows not affected\r\n\r\n Server 2.x Windows not affected\r\n Server 2.x Linux not being fixed at this time\r\n\r\n Fusion 3.x Mac OS/X not affected\r\n Fusion 2.x Mac OS/X 2.0.7 build 246742 or later\r\n\r\n ESXi any any not affected\r\n\r\n ESX any any not affected\r\n\r\n4. Solution\r\n\r\n Please review the patch/release notes for your product and version\r\n and verify the md5sum and/or the sha1sum of your downloaded file.\r\n\r\n VMware Workstation Movie Decoder stand alone 6.5.4\r\n --------------------------------------------------\r\n\r\nhttp://download3.vmware.com/software/wkst/VMware-moviedecoder-6.5.4-246459.exe\r\n md5sum: ea2ac5907ae4c5c323147fe155443ab8\r\n sha1sum: 5ca8d1fd45f6a7a6f38019b259c3e836ee4e8f29\r\n\r\n VMware Workstation 7.0.1\r\n ------------------------\r\n For Windows\r\n\r\nhttp://downloads.vmware.com/download/download.do?downloadGroup=WKST-701-WIN\r\n Release notes:\r\n http://downloads.vmware.com/support/ws7/doc/releasenotes_ws701.html\r\n\r\n Workstation for Windows 32-bit and 64-bit with VMware Tools\r\n md5sum: fc8502a748de3b8f94c5c9571c1f17d2\r\n sha1sum: 3de01b355b17363a92d80200ff5e7267b3bde206\r\n\r\n Workstation for Windows 32-bit and 64-bit without VMware Tools\r\n md5sum: 6a18ea3847cb727b03f7890f5643db79\r\n sha1sum: 260b019db4619b0d1d775e5c38cc46b6db250984\r\n\r\n For Linux\r\n http://downloads.vmware.com/download/download.do?downloadGroup=WKST-701-LX\r\n Release notes:\r\n http://downloads.vmware.com/support/ws7/doc/releasenotes_ws701.html\r\n\r\n Workstation for Linux 32-bit with VMware Tools\r\n md5sum: a896f7aaedde8799f21b52b89f5fc9ef\r\n sha1sum: f6d0789afa7927ca154973a071603a0bd098e697\r\n\r\n Workstation for Linux 32-bit without VMware Tools\r\n md5sum: 59ecd27bdf3f59be3b4df8f04d1b3874\r\n sha1sum: 22e1a475069fca5e8d2446bf14661fa6d894d34f\r\n\r\n Workstation for Linux 64-bit with VMware Tools\r\n md5sum: 808682eaa6b202fa29172821f7378768\r\n sha1sum: a901c45a2a02678b0d1722e8f27152c3af12a7ac\r\n\r\n Workstation for Linux 64-bit without VMware Tools\r\n md5sum: 5116e27e7b13a76693402577bd9fda58\r\n sha1sum: dbcd045a889b95ac14828b8106631b678354e30a\r\n\r\n VMware Workstation 6.5.4\r\n ------------------------\r\n For Windows\r\n\r\nhttp://downloads.vmware.com/download/download.do?downloadGroup=WKST-654-WIN\r\n Release Notes:\r\n http://downloads.vmware.com/support/ws65/doc/releasenotes_ws654.html\r\n\r\n Workstation for Windows 32-bit and 64-bit\r\n Windows 32-bit and 64-bit .exe\r\n md5sum: 2dc393fcc4e78dcf2165098a4938699a\r\n sha1sum: acfff457860c8c53c637c01f74f8aaa72d1c9569\r\n\r\n For Linux\r\n http://downloads.vmware.com/download/download.do?downloadGroup=WKST-654-LX\r\n Release Notes:\r\n http://downloads.vmware.com/support/ws65/doc/releasenotes_ws654.html\r\n\r\n Workstation for Linux 32-bit\r\n Linux 32-bit .rpm\r\n md5sum: 9efb43a604d50e541eb3be7081b8b198\r\n sha1sum: 4240d664f85a11f47288d2279224b26bef92aa8b\r\n\r\n Workstation for Linux 32-bit\r\n Linux 32-bit .bundle\r\n md5sum: 38760682ad3b2f6bfb4e40f424c95c2a\r\n sha1sum: ec78099322b5fb2a737cd74a1978a5c07382dc8a\r\n\r\n Workstation for Linux 64-bit\r\n Linux 64-bit .rpm\r\n md5sum: 24311492bc515e9bc98eff9b2e7d33a2\r\n sha1sum: b4947ef09f740440e8a24fc2ba05c0a7c11b82f5\r\n\r\n Workstation for Linux 64-bit\r\n Linux 64-bit .bundle\r\n md5sum: ed24296705ad48442549d9cb2b3c0d8d\r\n sha1sum: 3c0f1efae0a64fa3a41be21b0bfc962f12e0e6d8\r\n\r\n\r\n VMware Player 3.0.1\r\n -------------------\r\n http://downloads.vmware.com/tryvmware/?p=player&lp=default\r\n Release notes:\r\nhttp://downloads.vmware.com/support/player30/doc/releasenotes_player301.html\r\n\r\n Player for Windows 32-bit and 64-bit\r\n md5sum: 78c92c0242c9540f68a629d4ac49c516\r\n sha1sum: 7fc255fcd1a6784458012314db1206ed922e92cf\r\n\r\n Player for Linux 32-bit (.bundle)\r\n md5sum: e7cd19d39c7bbd1aee582743d76a7863\r\n sha1sum: cff76010f0429576288ea1e5a594cd47a2c64f4a\r\n\r\n Player for Linux 64-bit (.bundle)\r\n md5sum: 88b08537c6eea705883dc1755b97738c\r\n sha1sum: 84f25370d24c03a18968a4f4c8e06cef3d21c2df\r\n\r\n VMware VIX API for Windows 32-bit and 64-bit\r\n md5sum: 2c46fc7e2516f331eb4dd23154d00a54\r\n sha1sum: 85ceb1b718806c6870e3a918bcc772d1486ccdc9\r\n\r\n VMware VIX API for 32-bit Linux\r\n md5sum: 8b0994a26363246b5e954f97bd5a088d\r\n sha1sum: af93da138a158ee6e05780a5c4042414735987b6\r\n\r\n VMware VIX API for 64-bit Linux\r\n md5sum: ef7b9890c52b1e333f2357760a7fff85\r\n sha1sum: dfef8531356de78171e13c4c108ebaeb43eaa62d\r\n\r\n VMware Player 2.5.4\r\n -------------------\r\n http://downloads.vmware.com/download/player/player_reg.html\r\n Release notes:\r\nhttp://downloads.vmware.com/support/player25/doc/releasenotes_player254.html\r\n\r\n Player for Windows 32-bit and 64-bit (.exe)\r\n md5sum: 531140a1eeed7d8b71f726b3d32a9174\r\n sha1sum: 2500fa8af48452bd0e97040b80c569c3cb4f73e5\r\n\r\n Player for Linux (.rpm)\r\n md5sum: 1905f61af490f9760bef54450747e708\r\n sha1sum: cf7444c0a6331439c5479a4158112a60eb0e6e8d\r\n\r\n Player for Linux (.bundle)\r\n md5sum: 74f539005687a4efce7971f7ef019af5\r\n sha1sum: 4c4412c5807ecd00e66886e0e7c43ed61b62aab7\r\n\r\n Player for Linux - 64-bit (.rpm)\r\n md5sum: 013078d7f6adcdbcbaafbf5e0ae11a39\r\n sha1sum: 7c434173a3fe446ebefce4803bfaa7ab67d1ff72\r\n\r\n Player for Linux - 64-bit (.bundle)\r\n md5sum: 175ce2f9656ff10a1327c0d48f80c65f\r\n sha1sum: bf7acfdcb44bf345d58f79ad1bcb04816f262d22\r\n\r\n\r\n VMware ACE 2.6.1\r\n ----------------\r\nhttp://downloads.vmware.com/download/download.do?downloadGroup=ACE-261-WIN\r\n Release notes:\r\n http://downloads.vmware.com/support/ace26/doc/releasenotes_ace261.html\r\n\r\n VMware Workstation for 32-bit and 64-bit Windows with tools\r\n md5sum: fc8502a748de3b8f94c5c9571c1f17d2\r\n sha1sum: 3de01b355b17363a92d80200ff5e7267b3bde206\r\n\r\n VMware Workstation for Windows 32-bit and 64-bit without tools\r\n md5sum: 6a18ea3847cb727b03f7890f5643db79\r\n sha1sum: 260b019db4619b0d1d775e5c38cc46b6db250984\r\n\r\n ACE Management Server Virtual Appliance\r\n md5sum: e26d258c511572064e99774fbac9184c\r\n sha1sum: 9363656b70caa11a31a6229451202d9f8203c1f5\r\n\r\n ACE Management Server for Windows\r\n md5sum: e970828f2a5a62ac108879033a70f4b6\r\n sha1sum: eca89372eacc78c3130781d0d183715055d64798\r\n\r\n ACE Management Server for SUSE Enterprise Linux 9\r\n md5sum: 59b3ad5964daef2844e72fd1765590fc\r\n sha1sum: 91048de7665f5dc466f06e2ebc4c08f08026a97f\r\n\r\n ACE Management Server for Red Hat Enterprise Linux 4\r\n md5sum: 6623f6a8a645402a1c8c351ec99a1889\r\n sha1sum: a6d74ba072c5a513fcf8993edebaaf7f8225c05d\r\n\r\n VMware ACE 2.5.4\r\n ----------------\r\nhttp://downloads.vmware.com/download/download.do?downloadGroup=ACE-254-WIN\r\n Release notes:\r\n http://downloads.vmware.com/support/ace25/doc/releasenotes_ace254.html\r\n\r\n VMware ACE for Windows 32-bit and 64-bit\r\n Windows 32-bit and 64-bit .exe\r\n md5sum: 2dc393fcc4e78dcf2165098a4938699a\r\n sha1sum: acfff457860c8c53c637c01f74f8aaa72d1c9569\r\n\r\n ACE Management Server Virtual Appliance\r\n AMS Virtual Appliance .zip\r\n md5sum: 3935f23d4a074e7a3429a1c80cfd2155\r\n sha1sum: 5b09439a9c840d39ae49fbd7a79732ecd58c52a3\r\n\r\n ACE Management Server for Windows\r\n Windows .exe\r\n md5sum: 1173bd7da6ed330a262ed4e2eff6562c\r\n sha1sum: d9bce88a350aa957f3387f870af763875d4d9110\r\n\r\n ACE Management Server for SUSE Enterprise Linux 9\r\n SLES 9 .rpm\r\n md5sum: 0bec2cf8d6ae3bb6976c9d8cc2573208\r\n sha1sum: f3c6d9ee3357535b1540cedd9e86d723e2ed2134\r\n\r\n ACE Management Server for Red Hat Enterprise Linux 4\r\n RHEL 4 .rpm\r\n md5sum: 17caa522af79cf1f6b2ebad16a4ac8a5\r\n sha1sum: cdd6e2a4e3d7ad89f95e60f1af024bea7eaba0fe\r\n\r\n\r\n VMware Server 2.0.2\r\n -------------------\r\n http://www.vmware.com/download/server/\r\n Release notes:\r\n http://www.vmware.com/support/server2/doc/releasenotes_vmserver202.html\r\n\r\n VMware Server 2\r\n Version 2.0.2 | 203138 - 10/26/09\r\n 507 MB EXE image VMware Server 2 for Windows Operating Systems. A\r\n master installer file containing all Windows components of VMware\r\n Server.\r\n md5sum: a6430bcc16ff7b3a29bb8da1704fc38a\r\n sha1sum: 39683e7333732cf879ff0b34f66e693dde0e340b\r\n\r\n VIX API 1.6 for Windows\r\n Version 2.0.2 | 203138 - 10/26/09\r\n 37 MB image\r\n md5sum: 827e65e70803ec65ade62dd27a74407a\r\n sha1sum: a14281bc055271a19be3c88026e92304bc3f0e22\r\n\r\n For Linux\r\n\r\n VMware Server 2 for Linux Operating Systems.\r\n Version 2.0.2 | 203138 - 10/26/09\r\n 37 MB TAR image\r\n md5sum: 95ddea5a0579a35887bd15b083ffea20\r\n sha1sum: 14cf12063a7480f240ccd96178ad4258cb26a747\r\n\r\n VMware Server 2 for Linux Operating Systems 64-bit version.\r\n Version 2.0.2 | 203138 - 10/26/09\r\n 452 MB RPM image\r\n md5sum: 35c8b176601133749e4055e0034f8be6\r\n sha1sum: e8dc842d89899df5cd3e1136af76f19ca5ccbece\r\n\r\n The core application needed to run VMware Server 2, 64-bit version.\r\n Version 2.0.2 | 203138 - 10/26/09\r\n 451 MB TAR image\r\n md5sum: cc7aef813008eeb7150c21547d431b39\r\n sha1sum: b65d3d46dc947fc7995bda354c4947afabd23474\r\n\r\n\r\n VMware Fusion 3.0.2\r\n -------------------\r\n http://downloads.vmware.com/download/download.do?downloadGroup=FUS-302\r\n Release notes:\r\nhttp://downloads.vmware.com/support/fusion3/doc/releasenotes_fusion_302.html\r\n\r\n VMware Fusion 3.0.2 (for Intel-based Macs)\r\n md5sum: aa17278a4a668eeb9f9467e4e3111ccc\r\n sha1sum: 58c3d63705ac90839f7c1ae14264177e1fd56df3\r\n\r\n VMware Fusion 3.0.2 Light for Mac (for Intel-based Macs)\r\n md5sum: 052ecbbfc4f59a85e2d08b4bd3ef0896\r\n sha1sum: 61e00487f4c649588099647d4a5f47ddf5b8ad01\r\n\r\n VMware Fusion 2.0.7\r\n -------------------\r\n http://downloads.vmware.com/download/download.do?downloadGroup=FUS-207\r\n Release notes:\r\nhttp://downloads.vmware.com/support/fusion2/doc/releasenotes_fusion_207.html\r\n\r\n VMware Fusion 2.0.7 (for Intel-based Macs)\r\n md5sum: a293f5ce6ccc227760640753386e9da6\r\n sha1sum: ddfda92f9baf30e536bc485e42325d173a1aa370\r\n\r\n VMware Fusion 2.0.7 Light (for Intel-based Macs)\r\n md5sum: d4772d118fb90323f598849e70c21189\r\n sha1sum: 5c1df1597e77ebe0f0555749b281008ca5f2fb77\r\n\r\n\r\n VIX API 1.7 Version: 1.7 | 2009-08-26 | 186713\r\n ----------------------------------------------\r\n VIX API for Window 32-bit and 64-bit\r\n Main installation file for Windows 32-bit and 64-bit host\r\n md5sum:b494fc3092f07d0f29cc06a19fe61306\r\n sha1sum:aa8638424cb7f25c1e42343134ac9f0bd2c2e0c9\r\n\r\n VIX API for Linux 32-bit\r\n md5sum:6b0ed8872d8b714363cddc68b6a77008\r\n sha1sum:8a9b12a61641394b347488119a7120eaa47dc2a1\r\n\r\n VIX API for Linux 64-bit\r\n md5sum:d57aa9f98058d5a386c18e14cc05bf4d\r\n sha1sum:3b7d4461ea257e795b322cc080f4ae29a230666b\r\n\r\n VIX API Version: 1.8.1 | 2009-10-11 | 207905\r\n ---------------------------------------------\r\n VIX API for Windows 32-bit and 64-bit\r\n md5sum:4f21e4cb518767bc08045f5a39f5d41f\r\n sha1sum:5b8275c549f9d9498bd2ed078557f1ce1986ac12\r\n\r\n VIX API for Linux 32-bit\r\n md5sum:f347e94d907c26754540d59956ee5d53\r\n sha1sum:6ddc6c9371ba127d04bc83bd55988a6c83366907\r\n\r\n VIX API for Linux 64-bit\r\n md5sum:b8a3982072d0d42c0c37dd7eb49d686c\r\n sha1sum:d044ac3dd42f806bc4ff48ddf584b5e3d82910c8\r\n\r\n VIX API Version: 1.10 Beta | 01/28/10 | 222403\r\n ----------------------------------------------\r\n VIX API for Windows 32-bit and 64-bit\r\n md5sum:ac5b6e9197cb68c302bfac9ed683e3af\r\n sha1sum:0d942e7409e88e684bdb65811e7be7f47d631a73\r\n\r\n VIX API for Linux 32-bit\r\n md5sum:07d1989d042e317eb9d2b3daf269dda7\r\n sha1sum:1e3840d426d7dfff53fa7e1bd22b09b56cf2362c\r\n\r\n VIX API for Linux 64-bit\r\n md5sum:9b345008e0adec3c044988307294944b\r\n sha1sum:7a54a893369c2227f7e8058430c40983168c6e0b\r\n\r\n\r\n ESXi\r\n ----\r\n ESXi 4.0 bulletin ESXi400-201002402-BG\r\nhttps://hostupdate.vmware.com/software/VUM/OFFLINE/release-193-20100228-731251/ESXi400-201002001.zip\r\n md5sum: e5aa2968d389594abdc59cbac7b0183d\r\n sha1sum: bb50b3ad7934e3f9e24edc879b35e83b357343b2\r\n http://kb.vmware.com/kb/1018404\r\n\r\n ESXi 3.5\r\n --------\r\n ESXi 3.5 patch ESXe350-200912402-T-BG was first contained in\r\n ESXe350-200912401-O-BG from December 2009.\r\n\r\n The same patch, ESXe350-200912402-T-BG, is also contained in\r\n ESXe350-201002401-O-SG from February 2010 ESXi 3.5 security update.\r\n\r\n In latest non-security ESXi 3.5 update, ESXe350-201003402-T-BG is also\r\n included in ESXe350-201003401-O-BG from March 2010.\r\n\r\n\r\n ESXe350-201002401-O-SG (latest security update)\r\n http://download3.vmware.com/software/vi/ESXe350-201002401-O-SG.zip\r\n\r\n md5sum: 0c8d4d1c0e3c2aed9f785cf081225d83\r\n\r\n http://kb.vmware.com/kb/1015047 (Vi Client)\r\n\r\n http://kb.vmware.com/kb/1016665 (VM Tools)\r\n\r\n http://kb.vmware.com/kb/1017685 (Firmware)\r\n\r\n\r\n\r\n The three ESXi patches for Firmware "I", VMware Tools "T," and the\r\n VI Client "C" are contained in a single offline "O" download file.\r\n\r\n\r\n ESX\r\n ---\r\n ESX 4.0 bulletin ESX400-201002401-BG\r\nhttps://hostupdate.vmware.com/software/VUM/OFFLINE/release-192-20100228-732240/ESX400-201002001.zip\r\n md5sum: de62cbccaffa4b2b6831617f18c1ccb4\r\n sha1sum: 4083f191fa4acd6600c9a87e4852f9f5700e91ab\r\n http://kb.vmware.com/kb/1018403\r\n\r\n Note: ESX400-201002001 contains the bundle with the security fix,\r\n ESX400-201002401-BG\r\n To install an individual bulletin use esxupdate with the -b option.\r\n esxupdate --bundle ESX400-201002001 -b ESX400-201002401-BG\r\n\r\n ESX 4.0 bulletin ESX400-200911223-UG\r\nhttps://hostupdate.vmware.com/software/VUM/OFFLINE/release-166-20091202-254879/ESX-4.0.0-update01a.zip\r\n md5sum: 99c1fcafbf0ca105ce73840d686e9914\r\n sha1sum: aa8a23416271bc28b6b8f6bdbe00045e36314ebb\r\n http://kb.vmware.com/kb/1014842\r\n\r\n Note: ESX-4.0.0-update01a contains the bundle with the security fix,\r\n ESX400-200911223-UG\r\n To install an individual bulletin use esxupdate with the -b option.\r\n esxupdate --bundle ESX-4.0.0-update01a -b ESX400-200911223-UG\r\n\r\n ESX 3.5 patch ESX350-200912401-BG\r\n http://download3.vmware.com/software/vi/ESX350-200912401-BG.zip\r\n md5sum: f1d3589745b4ae933554785aef22bacc\r\n sha1sum: d1e5a9209b165d43d75f076e556fc028bec4cc47\r\n http://kb.vmware.com/kb/1016657\r\n\r\n ESX 3.0.3 patch ESX303-201002203-UG\r\n http://download3.vmware.com/software/vi/ESX303-201002203-UG.zip\r\n md5sum: 49ee56b687707cbe6999836c315f081a\r\n http://kb.vmware.com/kb/1018030\r\n\r\n ESX 2.5.5 Upgrade Patch 15\r\n http://download3.vmware.com/software/esx/esx-2.5.5-191611-upgrade.tar.gz\r\n md5sum: c346fe510b6e51145570e03083f77357\r\n sha1sum: ef6b19247825fb3fe2c55f8fda3cdd05ac7bb1f4\r\n http://www.vmware.com/support/esx25/doc/esx-255-200910-patch.html\r\n\r\n\r\n5. References\r\n http://www.acrossecurity.com/advisories.htm\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1564\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1565\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3707\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3732\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1138\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1139\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1140\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1142\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1141\r\n\r\n6. Change log\r\n2010-04-09 VMSA-2010-0007\r\nInitial security advisory after release of Workstation 6.5.4 and Fusion\r\n2.0.7 on 2010-04-08.\r\n\r\n- ------------------------------------------------------------------------\r\n7. Contact\r\n\r\nE-mail list for product security notifications and announcements:\r\nhttp://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce\r\n\r\nThis Security Advisory is posted to the following lists:\r\n\r\n * security-announce at lists.vmware.com\r\n * bugtraq at securityfocus.com\r\n * full-disclosure at lists.grok.org.uk\r\n\r\nE-mail: security at vmware.com\r\nPGP key at: http://kb.vmware.com/kb/1055\r\n\r\nVMware Security Center\r\nhttp://www.vmware.com/security\r\n\r\nVMware security response policy\r\nhttp://www.vmware.com/support/policies/security_response.html\r\n\r\nGeneral support life cycle policy\r\nhttp://www.vmware.com/support/policies/eos.html\r\n\r\nVMware Infrastructure support life cycle policy\r\nhttp://www.vmware.com/support/policies/eos_vi.html\r\n\r\nCopyright 2010 VMware Inc. All rights reserved.\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (MingW32)\r\n\r\niD8DBQFLvvM8S2KysvBH1xkRAgu/AJ9RrzlOq/5Ug0t8R4qoi/UwDVJDpACbBGgT\r\nd58bjKG6Ic7m/TsoJP4M2tw=\r\n=Q1zv\r\n-----END PGP SIGNATURE-----", "modified": "2010-04-12T00:00:00", "published": "2010-04-12T00:00:00", "id": "SECURITYVULNS:DOC:23603", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23603", "title": "VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "vmware": [{"lastseen": "2018-09-02T02:40:37", "bulletinFamily": "unix", "description": "a. Windows-based VMware Tools Unsafe Library Loading vulnerability \n \nA vulnerability in the way VMware libraries are referenced allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems. \nIn order for an attacker to exploit the vulnerability, the attacker would need to lure the user that is logged on a Windows Guest Operating System to click on the attacker's file on a network share. This file could be in any file format. The attacker will need to have the ability to host their malicious files on a network share. \nVMware would like to thank Jure Skofic and Mitja Kolsek of ACROS Security ( <http://www.acrossecurity.com>) for reporting this issue to us. \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1141 to this issue. \nSteps needed to remediate this vulnerability: \n\\- Install the remediated version of Workstation, Player, ACE, Server and Fusion. \n\\- Upgrade tools in the virtual machine (virtual machine users will be prompted to upgrade). \n \nGuest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5 - Install the relevant patches (see below for patch identifiers) \n\\- Manually upgrade tools in the virtual machine (virtual machine users will not be prompted to upgrade). Note the VI Client will not show the VMware tools is out of date in the summary tab. \nPlease see <http://tinyurl.com/27mpjo> page 80 for details. \nThe following table lists what action remediates the vulnerability (column 4) if a solution is available. See above for remediation details. \n\n", "modified": "2010-04-12T00:00:00", "published": "2010-04-09T00:00:00", "id": "VMSA-2010-0007", "href": "https://www.vmware.com/security/advisories/VMSA-2010-0007.html", "title": "VMware hosted products, vCenter Server and ESX patches resolve multiple security issues", "type": "vmware", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:55", "bulletinFamily": "unix", "description": "### Background\n\nVMware Player, Server, and Workstation allow emulation of a complete PC on a PC without the usual performance overhead of most emulators. \n\n### Description\n\nMultiple vulnerabilities have been discovered in VMware Player, Server, and Workstation. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nLocal users may be able to gain escalated privileges, cause a Denial of Service, or gain sensitive information. \n\nA remote attacker could entice a user to open a specially crafted file, possibly resulting in the remote execution of arbitrary code, or a Denial of Service. Remote attackers also may be able to spoof DNS traffic, read arbitrary files, or inject arbitrary web script to the VMware Server Console. \n\nFurthermore, guest OS users may be able to execute arbitrary code on the host OS, gain escalated privileges on the guest OS, or cause a Denial of Service (crash the host OS). \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nGentoo discontinued support for VMware Player. We recommend that users unmerge VMware Player: \n \n \n # emerge --unmerge \"app-emulation/vmware-player\"\n \n\nNOTE: Users could upgrade to \u201c>=app-emulation/vmware-player-3.1.5\u201d, however these packages are not currently stable. \n\nGentoo discontinued support for VMware Workstation. We recommend that users unmerge VMware Workstation: \n \n \n # emerge --unmerge \"app-emulation/vmware-workstation\"\n \n\nNOTE: Users could upgrade to \u201c>=app-emulation/vmware-workstation-7.1.5\u201d, however these packages are not currently stable. \n\nGentoo discontinued support for VMware Server. We recommend that users unmerge VMware Server: \n \n \n # emerge --unmerge \"app-emulation/vmware-server\"", "modified": "2012-09-29T00:00:00", "published": "2012-09-29T00:00:00", "id": "GLSA-201209-25", "href": "https://security.gentoo.org/glsa/201209-25", "type": "gentoo", "title": "VMware Player, Server, Workstation: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
