Bonsai Information Security - VMware Tools update OS Command Injection

2010-12-10T00:00:00

Description

VMware Tools update OS Command Injection ======================================== 1. Advisory Information Advisory ID: BONSAI-2010-0110 Date published: Thu Dec 9, 2010 Vendors contacted: VMware Release mode: Coordinated release 2. Vulnerability Information Class: Injection Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2010-4297 3. Software Description VMware Tools is a suite of utilities that enhances the performance of the virtual machine's guest operating system and improves management of the virtual machine. Without VMware Tools installed in your guest operating system, guest performance lacks important functionality. Installing VMware Tools eliminates or improves the following issues: * low video resolution * inadequate color depth * incorrect display of network speed * restricted movement of the mouse * inability to copy and paste and drag-and-drop files * missing sound VMware Tools includes these components: * VMware Tools service * VMware device drivers * VMware user process * VMware Tools control panel VMware Tools is provided in the following formats: * ISOs (contain .tar and .rpm files) – packaged with the product and are installed in a number of ways, depending upon the VMware product and the guest operating system installed in the virtual machine. VMware Tools provides a different ISO file for each type of supported guest operating system: Windows, Linux, NetWare, Solaris, and FreeBSD. * Operating System Specific Packages (OSPs) – downloaded and installed from the command line. VMware Tools is available as separate downloadable, light-weight packages that are specific to each supported Linux operating system and VMware product. OSPs are an alternative to the existing mechanism for installing VMware Tools and only support Linux systems running on ESX. 4. Vulnerability Description Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. 5. Vulnerable packages Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available: VMWare Product Product Version Running On Replace with / Apply Patch VirtualCenter any Windows not affected Workstation 7.X any 7.1.2 Build 301548 or later Workstation 6.5.X any 6.5.5 Build 328052 or later Player 3.1.X any 3.1.2 Build 301548 or later Player 2.5.X any 2.5.5 Build 328052 or later AMS any any not affected Server 2.0.2 any affected, no patch planned Fusion 3.1.X Mac OSX 3.1.2 Build 332101 Fusion 2.X Mac OSX 2.0.8 Build 328035 ESXi 4.1 ESXi ESXi410-201010402-BG ESXi 4.0 ESXi ESXi400-201009402-BG ESXi 3.5 ESXi ESXe350-201008402-T-BG ** ESX 4.1 ESX ESX410-201010405-BG ESX 4.0 ESX ESX400-201009401-SG ESX 3.5 ESX ESX350-201008409-BG ** ESX 3.0.3 ESX not affected * hosted products are VMware Workstation, Player, ACE, Fusion. ** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only: - Install the relevant ESX patch. - Manually upgrade tools in the virtual machine (virtual machine users will not be prompted to upgrade tools). Note the VI Client may not show that the VMware tools is out of date in th summary tab. Full VMWare advisory could be found at: http://www.vmware.com/security/advisories/VMSA-2010-0018.html 6. Non-vulnerable packages See above table. 7. Credits This vulnerability was discovered by Nahuel Grisolia ( nahuel -at- bonsai-sec.com ). 8. Technical Description 8.1. OS Command Injection – PoC Example CVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) VMware Server Infrastructure Web Access is prone to remote command execution vulnerability because the software fails to adequately sanitize user-supplied input. When Updating the VMTools on a certain Guest Virtual Machine, a command injection attack can be executed if specially crafted parameters are sent. Successful attacks can compromise the affected Guest Virtual Machine with root privileges. The following proof of concept is given. It was exploited in a GNU/Linux Guest with VMware Tools installed but not fully updated: POST /ui/sb HTTP/1.1 […] Cookie: JSESSIONID=F78CCA7DD3CF4E2E82587B236660C9ED; user_name=vmuser; l=http%3A%2F%2Flocalhost%3A80%2Fsdk […] [{i:"378",exec:"/cmd/vm",args:["UpgradeTools_Task",{_i:"VirtualMachine|960"},"; INJECTED COMMAND HERE ;"]}] 9. Report Timeline • 2010-04-24 / Vulnerabilities were identified • 2010-04-29 – 2010-12-02 / Multiple Contacts with Vendor • 2010-12-09 / Vulnerability is Disclosed – PoC attached 10. About Bonsai Bonsai is a company involved in providing professional computer information security services. Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina, we are fully committed to quality service and focused on our customers’ real needs. 11. Disclaimer The contents of this advisory are copyright (c) 2010 Bonsai Information Security, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 12. Research http://www.bonsai-sec.com/en/research/vulnerability.php http://www.bonsai-sec.com/en/research/vulnerabilities/vmware-tools-os-command-injection-0110.php

{"id": "SECURITYVULNS:DOC:25262", "bulletinFamily": "software", "title": "Bonsai Information Security - VMware Tools update OS Command Injection", "description": "VMware Tools update OS Command Injection\r\n========================================\r\n\r\n1. Advisory Information\r\nAdvisory ID: BONSAI-2010-0110\r\nDate published: Thu Dec 9, 2010\r\nVendors contacted: VMware\r\nRelease mode: Coordinated release\r\n\r\n2. Vulnerability Information\r\nClass: Injection\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: Yes\r\nCVE Name: CVE-2010-4297\r\n\r\n3. Software Description\r\nVMware Tools is a suite of utilities that enhances the performance of\r\nthe virtual machine's guest operating system and improves management of\r\nthe virtual machine. Without VMware Tools installed in your guest\r\noperating system, guest performance lacks important functionality.\r\nInstalling VMware Tools eliminates or improves the following issues:\r\n\r\n * low video resolution\r\n * inadequate color depth\r\n * incorrect display of network speed\r\n * restricted movement of the mouse\r\n * inability to copy and paste and drag-and-drop files\r\n * missing sound\r\n\r\nVMware Tools includes these components:\r\n\r\n * VMware Tools service\r\n * VMware device drivers\r\n * VMware user process\r\n * VMware Tools control panel\r\n\r\nVMware Tools is provided in the following formats:\r\n\r\n * ISOs (contain .tar and .rpm files) \u2013 packaged with the product and\r\nare installed in a number of ways, depending upon the VMware product and\r\nthe guest operating system installed in the virtual machine. VMware\r\nTools provides a different ISO file for each type of supported guest\r\noperating system: Windows, Linux, NetWare, Solaris, and FreeBSD.\r\n * Operating System Specific Packages (OSPs) \u2013 downloaded and\r\ninstalled from the command line. VMware Tools is available as separate\r\ndownloadable, light-weight packages that are specific to each supported\r\nLinux operating system and VMware product. OSPs are an alternative to\r\nthe existing mechanism for installing VMware Tools and only support\r\nLinux systems running on ESX.\r\n\r\n4. Vulnerability Description\r\nInjection flaws, such as SQL, OS, and LDAP injection, occur when\r\nuntrusted data is sent to an interpreter as part of a command or query.\r\nThe attacker\u2019s hostile data can trick the interpreter into executing\r\nunintended commands or accessing unauthorized data.\r\n\r\n5. Vulnerable packages\r\nColumn 4 of the following table lists the action required to remediate\r\nthe vulnerability in each release, if a solution is available:\r\nVMWare Product Product Version Running On Replace with / Apply Patch\r\nVirtualCenter any Windows not affected\r\nWorkstation 7.X any 7.1.2 Build 301548 or later\r\nWorkstation 6.5.X any 6.5.5 Build 328052 or later\r\nPlayer 3.1.X any 3.1.2 Build 301548 or later\r\nPlayer 2.5.X any 2.5.5 Build 328052 or later\r\nAMS any any not affected\r\nServer 2.0.2 any affected, no patch planned\r\nFusion 3.1.X Mac OSX 3.1.2 Build 332101\r\nFusion 2.X Mac OSX 2.0.8 Build 328035\r\nESXi 4.1 ESXi ESXi410-201010402-BG\r\nESXi 4.0 ESXi ESXi400-201009402-BG\r\nESXi 3.5 ESXi ESXe350-201008402-T-BG **\r\nESX 4.1 ESX ESX410-201010405-BG\r\nESX 4.0 ESX ESX400-201009401-SG\r\nESX 3.5 ESX ESX350-201008409-BG **\r\nESX 3.0.3 ESX not affected\r\n\r\n * hosted products are VMware Workstation, Player, ACE, Fusion.\r\n ** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:\r\n - Install the relevant ESX patch.\r\n - Manually upgrade tools in the virtual machine (virtual machine\r\nusers will not be prompted to upgrade tools). Note the VI Client may\r\nnot show that the VMware tools is out of date in th summary tab.\r\nFull VMWare advisory could be found at:\r\nhttp://www.vmware.com/security/advisories/VMSA-2010-0018.html\r\n\r\n6. Non-vulnerable packages\r\nSee above table.\r\n\r\n7. Credits\r\nThis vulnerability was discovered by Nahuel Grisolia ( nahuel -at-\r\nbonsai-sec.com ).\r\n\r\n8. Technical Description\r\n8.1. OS Command Injection \u2013 PoC Example\r\nCVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)\r\nVMware Server Infrastructure Web Access is prone to remote command\r\nexecution vulnerability because the software fails to adequately\r\nsanitize user-supplied input.\r\nWhen Updating the VMTools on a certain Guest Virtual Machine, a command\r\ninjection attack can be executed if specially crafted parameters are sent.\r\nSuccessful attacks can compromise the affected Guest Virtual Machine\r\nwith root privileges.\r\nThe following proof of concept is given. It was exploited in a GNU/Linux\r\nGuest with VMware Tools installed but not fully updated:\r\nPOST /ui/sb HTTP/1.1\r\n[\u2026]\r\nCookie: JSESSIONID=F78CCA7DD3CF4E2E82587B236660C9ED; user_name=vmuser;\r\nl=http%3A%2F%2Flocalhost%3A80%2Fsdk\r\n[\u2026]\r\n[{i:"378",exec:"/cmd/vm",args:["UpgradeTools_Task",{_i:"VirtualMachine|960"},";\r\nINJECTED COMMAND HERE ;"]}]\r\n\r\n\r\n9. Report Timeline\r\n\u2022 2010-04-24 / Vulnerabilities were identified\r\n\u2022 2010-04-29 \u2013 2010-12-02 / Multiple Contacts with Vendor\r\n\u2022 2010-12-09 / Vulnerability is Disclosed \u2013 PoC attached\r\n\r\n10. About Bonsai\r\nBonsai is a company involved in providing professional computer\r\ninformation security services. Currently a sound growth company, since\r\nits foundation in early 2009 in Buenos Aires, Argentina, we are fully\r\ncommitted to quality service and focused on our customers\u2019 real needs.\r\n\r\n11. Disclaimer\r\nThe contents of this advisory are copyright (c) 2010 Bonsai Information\r\nSecurity, and may be distributed freely provided that no fee is charged\r\nfor this distribution and proper credit is given.\r\n\r\n12. Research\r\nhttp://www.bonsai-sec.com/en/research/vulnerability.php\r\nhttp://www.bonsai-sec.com/en/research/vulnerabilities/vmware-tools-os-command-injection-0110.php", "published": "2010-12-10T00:00:00", "modified": "2010-12-10T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25262", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2010-4297"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:38", "edition": 1, "viewCount": 7, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-4297"]}, {"type": "exploitdb", "idList": ["EDB-ID:15717"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:56567B8BBB3D59AE8BC1A846E3EF33FA"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/VMSA-2010-0018-CVE-2010-4297-WORKSTATION/", "MSF:ILITIES/VMSA-2010-0018-CVE-2010-4297/"]}, {"type": "nessus", "idList": ["MACOSX_FUSION_2_0_8.NASL", "MACOSX_FUSION_3_1_2.NASL", "VMWARE_MULTIPLE_VMSA_2010_0018.NASL", "VMWARE_VMSA-2010-0018.NASL", "VMWARE_VMSA-2010-0018_REMOTE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:103456", "OPENVAS:1361412562310103456", "OPENVAS:1361412562310801560", "OPENVAS:1361412562310801561", "OPENVAS:801560", "OPENVAS:801561"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:96508"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25249", "SECURITYVULNS:VULN:11282"]}, {"type": "vmware", "idList": ["VMSA-2010-0018"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2010-4297"]}, {"type": "exploitdb", "idList": ["EDB-ID:15717"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/VMSA-2010-0018-CVE-2010-4297-WORKSTATION/"]}, {"type": "nessus", "idList": ["MACOSX_FUSION_2_0_8.NASL", "VMWARE_VMSA-2010-0018.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:801561"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:96508"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11282"]}]}, "exploitation": null, "vulnersScore": 7.5}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"openvas": [{"lastseen": "2017-07-02T21:09:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-4297"], "description": "The host is installed with VMWare products tools local privilege\nescalation vulnerability.", "modified": "2017-02-21T00:00:00", "published": "2010-12-13T00:00:00", "id": "OPENVAS:801561", "href": "http://plugins.openvas.org/nasl.php?oid=801561", "type": "openvas", "title": "VMware Products Tools Local Privilege Escalation Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_prdts_tools_loc_prev_escl_vuln_win.nasl 5388 2017-02-21 15:13:30Z teissa $\n#\n# VMware Products Tools Local Privilege Escalation Vulnerability (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \n\"Upgrade to workstation 6.5.5 build 328052 or 7.1.2 build 301548\nhttp://www.vmware.com/products/ws/\n\nUpgrade to player 2.5.5 build 328052 to 3.1.2 build 301548\nhttp://www.vmware.com/products/player/\n\nFor VMware Server version 2.x ,\nNo solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_impact = \"Successful exploitation will allow attacker to execute arbitrary\ncode with elevated privileges, this may aid in other attacks.\n\nImpact Level: System/Application\";\n\ntag_summary = \"The host is installed with VMWare products tools local privilege\nescalation vulnerability.\";\n\ntag_affected = \"VMware Server version 2.x\nVMware Player 2.5.x before 2.5.5 build 328052 and 3.1.x before 3.1.2 build 301548\nVMware Workstation 6.5.x before 6.5.5 build 328052 and 7.x before 7.1.2 build 301548\";\n\ntag_insight = \"The flaw is due to an error in Tools update functionality, which\nallows host OS users to gain privileges on the guest OS via unspecified\nvectors.\";\n\nif(description)\n{\n script_id(801561);\n script_version(\"$Revision: 5388 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-21 16:13:30 +0100 (Tue, 21 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-13 15:28:53 +0100 (Mon, 13 Dec 2010)\");\n script_cve_id(\"CVE-2010-4297\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"VMware Products Tools Local Privilege Escalation Vulnerability (Windows)\");\n\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/514995\");\n script_xref(name : \"URL\" , value : \"http://www.vmware.com/security/advisories/VMSA-2010-0018.html\");\n script_xref(name : \"URL\" , value : \"http://lists.vmware.com/pipermail/security-announce/2010/000112.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_require_keys(\"VMware/Win/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/Win/Installed\")){\n exit(0);\n}\n\n# Check for VMware Player\nvmplayerVer = get_kb_item(\"VMware/Player/Win/Ver\");\nif(vmplayerVer != NULL )\n{\n if(version_in_range(version:vmplayerVer, test_version:\"2.5\", test_version2:\"2.5.4\") ||\n version_in_range(version:vmplayerVer, test_version:\"3.0\", test_version2:\"3.1.1\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n#Check for VMware Workstation\nvmworkstnVer = get_kb_item(\"VMware/Workstation/Win/Ver\");\nif(vmworkstnVer != NULL)\n{\n if(version_in_range(version:vmworkstnVer, test_version:\"6.5\", test_version2:\"6.5.4\")||\n version_in_range(version:vmworkstnVer, test_version:\"7.0\", test_version2:\"7.1.1\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n# VMware Server\nvmserVer = get_kb_item(\"VMware/Server/Win/Ver\");\nif(vmserVer)\n{\n if(vmserVer =~ \"^2.*\"){\n security_message(0);\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:09:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-4297"], "description": "The host is installed with VMWare products tools local privilege\nescalation vulnerability.", "modified": "2017-02-21T00:00:00", "published": "2010-12-13T00:00:00", "id": "OPENVAS:801560", "href": "http://plugins.openvas.org/nasl.php?oid=801560", "type": "openvas", "title": "VMware Products Tools Local Privilege Escalation Vulnerability (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_prdts_tools_loc_prev_escl_vuln_lin.nasl 5388 2017-02-21 15:13:30Z teissa $\n#\n# VMware Products Tools Local Privilege Escalation Vulnerability (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \n\"Upgrade workstation 6.5.5 build 328052 or 7.1.2 build 301548\nhttp://www.vmware.com/products/ws/\n\nUpgrade to player 2.5.5 build 328052 to 3.1.2 build 301548\nhttp://www.vmware.com/products/player/\n\nFor VMware Server version 2.x ,\nNo solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_impact = \"Successful exploitation will allow attacker to execute arbitrary\ncode with elevated privileges, this may aid in other attacks.\n\nImpact Level: System/Application\";\n\ntag_summary = \"The host is installed with VMWare products tools local privilege\nescalation vulnerability.\";\n\ntag_affected = \"VMware Server version 2.x\nVMware Player 2.5.x before 2.5.5 build 328052 and 3.1.x before 3.1.2 build 301548\nVMware Workstation 6.5.x before 6.5.5 build 328052 and 7.x before 7.1.2 build 301548\";\n\ntag_insight = \"The flaw is due to an error in Tools update functionality, which\nallows host OS users to gain privileges on the guest OS via unspecified vectors.\";\n\nif(description)\n{\n script_id(801560);\n script_version(\"$Revision: 5388 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-21 16:13:30 +0100 (Tue, 21 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-13 15:28:53 +0100 (Mon, 13 Dec 2010)\");\n script_cve_id(\"CVE-2010-4297\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"VMware Products Tools Local Privilege Escalation Vulnerability (Linux)\");\n\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/514995\");\n script_xref(name : \"URL\" , value : \"http://www.vmware.com/security/advisories/VMSA-2010-0018.html\");\n script_xref(name : \"URL\" , value : \"http://lists.vmware.com/pipermail/security-announce/2010/000112.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_require_keys(\"VMware/Linux/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/Linux/Installed\")){\n exit(0);\n}\n\n# Check for VMware Player\nvmplayerVer = get_kb_item(\"VMware/Player/Linux/Ver\");\nif(vmplayerVer != NULL )\n{\n if(version_in_range(version:vmplayerVer, test_version:\"2.5\", test_version2:\"2.5.4\") ||\n version_in_range(version:vmplayerVer, test_version:\"3.0\", test_version2:\"3.1.1\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n#Check for VMware Workstation\nvmworkstnVer = get_kb_item(\"VMware/Workstation/Linux/Ver\");\nif(vmworkstnVer != NULL)\n{\n if(version_in_range(version:vmworkstnVer, test_version:\"6.5\", test_version2:\"6.5.4\")||\n version_in_range(version:vmworkstnVer, test_version:\"7.0\", test_version2:\"7.1.1\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n# VMware Server\nvmserVer = get_kb_item(\"VMware/Server/Linux/Ver\");\nif(vmserVer)\n{\n if(vmserVer =~ \"^2.*\"){\n security_message(0);\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:40:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-4297"], "description": "The host is installed with VMWare products tools local privilege\nescalation vulnerability.", "modified": "2018-09-22T00:00:00", "published": "2010-12-13T00:00:00", "id": "OPENVAS:1361412562310801561", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801561", "type": "openvas", "title": "VMware Products Tools Local Privilege Escalation Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_prdts_tools_loc_prev_escl_vuln_win.nasl 11553 2018-09-22 14:22:01Z cfischer $\n#\n# VMware Products Tools Local Privilege Escalation Vulnerability (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801561\");\n script_version(\"$Revision: 11553 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-22 16:22:01 +0200 (Sat, 22 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-13 15:28:53 +0100 (Mon, 13 Dec 2010)\");\n script_cve_id(\"CVE-2010-4297\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"VMware Products Tools Local Privilege Escalation Vulnerability (Windows)\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/514995\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2010-0018.html\");\n script_xref(name:\"URL\", value:\"http://lists.vmware.com/pipermail/security-announce/2010/000112.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"VMware/Win/Installed\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary\ncode with elevated privileges, this may aid in other attacks.\");\n script_tag(name:\"affected\", value:\"VMware Server version 2.x\nVMware Player 2.5.x before 2.5.5 build 328052 and 3.1.x before 3.1.2 build 301548\nVMware Workstation 6.5.x before 6.5.5 build 328052 and 7.x before 7.1.2 build 301548\");\n script_tag(name:\"insight\", value:\"The flaw is due to an error in Tools update functionality, which\nallows host OS users to gain privileges on the guest OS via unspecified\nvectors.\");\n script_tag(name:\"summary\", value:\"The host is installed with VMWare products tools local privilege\nescalation vulnerability.\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/Win/Installed\")){\n exit(0);\n}\n\nvmplayerVer = get_kb_item(\"VMware/Player/Win/Ver\");\nif(vmplayerVer != NULL )\n{\n if(version_in_range(version:vmplayerVer, test_version:\"2.5\", test_version2:\"2.5.4\") ||\n version_in_range(version:vmplayerVer, test_version:\"3.0\", test_version2:\"3.1.1\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\nvmworkstnVer = get_kb_item(\"VMware/Workstation/Win/Ver\");\nif(vmworkstnVer != NULL)\n{\n if(version_in_range(version:vmworkstnVer, test_version:\"6.5\", test_version2:\"6.5.4\")||\n version_in_range(version:vmworkstnVer, test_version:\"7.0\", test_version2:\"7.1.1\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n# VMware Server\nvmserVer = get_kb_item(\"VMware/Server/Win/Ver\");\nif(vmserVer)\n{\n if(vmserVer =~ \"^2.*\"){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:40:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-4297"], "description": "The host is installed with VMWare products tools local privilege\nescalation vulnerability.", "modified": "2018-09-22T00:00:00", "published": "2010-12-13T00:00:00", "id": "OPENVAS:1361412562310801560", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801560", "type": "openvas", "title": "VMware Products Tools Local Privilege Escalation Vulnerability (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_prdts_tools_loc_prev_escl_vuln_lin.nasl 11553 2018-09-22 14:22:01Z cfischer $\n#\n# VMware Products Tools Local Privilege Escalation Vulnerability (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801560\");\n script_version(\"$Revision: 11553 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-22 16:22:01 +0200 (Sat, 22 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-13 15:28:53 +0100 (Mon, 13 Dec 2010)\");\n script_cve_id(\"CVE-2010-4297\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"VMware Products Tools Local Privilege Escalation Vulnerability (Linux)\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/514995\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2010-0018.html\");\n script_xref(name:\"URL\", value:\"http://lists.vmware.com/pipermail/security-announce/2010/000112.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"VMware/Linux/Installed\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary\ncode with elevated privileges, this may aid in other attacks.\");\n script_tag(name:\"affected\", value:\"VMware Server version 2.x\nVMware Player 2.5.x before 2.5.5 build 328052 and 3.1.x before 3.1.2 build 301548\nVMware Workstation 6.5.x before 6.5.5 build 328052 and 7.x before 7.1.2 build 301548\");\n script_tag(name:\"insight\", value:\"The flaw is due to an error in Tools update functionality, which\nallows host OS users to gain privileges on the guest OS via unspecified vectors.\");\n script_tag(name:\"summary\", value:\"The host is installed with VMWare products tools local privilege\nescalation vulnerability.\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/Linux/Installed\")){\n exit(0);\n}\n\nvmplayerVer = get_kb_item(\"VMware/Player/Linux/Ver\");\nif(vmplayerVer != NULL )\n{\n if(version_in_range(version:vmplayerVer, test_version:\"2.5\", test_version2:\"2.5.4\") ||\n version_in_range(version:vmplayerVer, test_version:\"3.0\", test_version2:\"3.1.1\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\nvmworkstnVer = get_kb_item(\"VMware/Workstation/Linux/Ver\");\nif(vmworkstnVer != NULL)\n{\n if(version_in_range(version:vmworkstnVer, test_version:\"6.5\", test_version2:\"6.5.4\")||\n version_in_range(version:vmworkstnVer, test_version:\"7.0\", test_version2:\"7.1.1\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n# VMware Server\nvmserVer = get_kb_item(\"VMware/Server/Linux/Ver\");\nif(vmserVer)\n{\n if(vmserVer =~ \"^2.*\"){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-10-30T10:47:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-4295", "CVE-2010-4294", "CVE-2010-4297", "CVE-2010-4296"], "description": "The remote ESXi is missing one or more security related Updates from VMSA-2010-0018.\n\nSummary\n\nVMware hosted products and ESX patches resolve multiple security issues.\n\nRelevant releases\n\nVMware Workstation 7.1.1 and earlier,\nVMware Workstation 6.5.4 and earlier,\nVMware Player 3.1.1 and earlier,\nVMware Player 2.5.4 and earlier,\nVMware Fusion 3.1.1 and earlier,\nESXi 4.1 without patch ESXi410-201010402-BG or later\nESXi 4.0 without patch ESXi400-201009402-BG or later\nESXi 3.5 without patch ESXe350-201008402-T-BG or later\nESX 4.1 without patch ESX410-201010405-BG\nESX 4.0 without patch ESX400-201009401-SG\nESX 3.5 without patch ESX350-201008409-BG\n\nProblem Description\n\na. VMware Workstation, Player and Fusion vmware-mount race condition\n\n The way temporary files are handled by the mounting process could result in a race condition. This\n issue could allow a local user on the host to elevate their privileges.\n VMware Workstation and Player running on Microsoft Windows are not affected.\n\nb. VMware Workstation, Player and Fusion vmware-mount privilege escalation vmware-mount which is a suid\n binary has a flaw in the way libraries are loaded. This issue could allow local users on the host to\n execute arbitrary shared object files with root privileges.\n\n VMware Workstation and Player running on Microsoft Windows are not affected.\n\n \nc. OS Command Injection in VMware Tools update\n \n A vulnerability in the input validation of VMware Tools update allows for injection of commands. The issue\n could allow a user on the host to execute commands on the guest operating system with root privileges.\n\n The issue can only be exploited if VMware Tools is not fully up-to-date. Windows-based virtual machines are not\n affected.\n\nd. VMware VMnc Codec frame decompression remote code execution\n\n The VMware movie decoder contains the VMnc media codec that is required to play back movies recorded with VMware\n Workstation, VMware Player and VMware ACE, in any compatible media player. The movie decoder is installed as part\n of VMware Workstation, VMware Player and VMware ACE, or can be downloaded as a stand alone package.\n\n A function in the decoder frame decompression routine implicitly trusts a size value. An attacker can utilize this\n to miscalculate a destination pointer, leading to the corruption of a heap buffer, and could allow for execution of\n arbitrary code with the privileges of the user running an application utilizing the vulnerable codec.\n\n For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video\n file on a system that has the vulnerable version of the VMnc codec installed.", "modified": "2017-10-26T00:00:00", "published": "2012-03-16T00:00:00", "id": "OPENVAS:103456", "href": "http://plugins.openvas.org/nasl.php?oid=103456", "type": "openvas", "title": "VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple security issues", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_VMSA-2010-0018.nasl 7583 2017-10-26 12:07:01Z cfischer $\n#\n# VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple security issues\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"The remote ESXi is missing one or more security related Updates from VMSA-2010-0018.\n\nSummary\n\nVMware hosted products and ESX patches resolve multiple security issues.\n\nRelevant releases\n\nVMware Workstation 7.1.1 and earlier,\nVMware Workstation 6.5.4 and earlier,\nVMware Player 3.1.1 and earlier,\nVMware Player 2.5.4 and earlier,\nVMware Fusion 3.1.1 and earlier,\nESXi 4.1 without patch ESXi410-201010402-BG or later\nESXi 4.0 without patch ESXi400-201009402-BG or later\nESXi 3.5 without patch ESXe350-201008402-T-BG or later\nESX 4.1 without patch ESX410-201010405-BG\nESX 4.0 without patch ESX400-201009401-SG\nESX 3.5 without patch ESX350-201008409-BG\n\nProblem Description\n\na. VMware Workstation, Player and Fusion vmware-mount race condition\n\n The way temporary files are handled by the mounting process could result in a race condition. This\n issue could allow a local user on the host to elevate their privileges.\n VMware Workstation and Player running on Microsoft Windows are not affected.\n\nb. VMware Workstation, Player and Fusion vmware-mount privilege escalation vmware-mount which is a suid\n binary has a flaw in the way libraries are loaded. This issue could allow local users on the host to\n execute arbitrary shared object files with root privileges.\n\n VMware Workstation and Player running on Microsoft Windows are not affected.\n\n \nc. OS Command Injection in VMware Tools update\n \n A vulnerability in the input validation of VMware Tools update allows for injection of commands. The issue\n could allow a user on the host to execute commands on the guest operating system with root privileges.\n\n The issue can only be exploited if VMware Tools is not fully up-to-date. Windows-based virtual machines are not\n affected.\n\nd. VMware VMnc Codec frame decompression remote code execution\n\n The VMware movie decoder contains the VMnc media codec that is required to play back movies recorded with VMware\n Workstation, VMware Player and VMware ACE, in any compatible media player. The movie decoder is installed as part\n of VMware Workstation, VMware Player and VMware ACE, or can be downloaded as a stand alone package.\n\n A function in the decoder frame decompression routine implicitly trusts a size value. An attacker can utilize this\n to miscalculate a destination pointer, leading to the corruption of a heap buffer, and could allow for execution of\n arbitrary code with the privileges of the user running an application utilizing the vulnerable codec.\n\n For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video\n file on a system that has the vulnerable version of the VMnc codec installed.\";\n\ntag_solution = \"Apply the missing patch(es).\";\n\nif (description)\n{\n script_id(103456);\n script_cve_id(\"CVE-2010-4295\", \"CVE-2010-4296\", \"CVE-2010-4297\", \"CVE-2010-4294\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_version (\"$Revision: 7583 $\");\n script_name(\"VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple security issues\");\n\n\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-26 14:07:01 +0200 (Thu, 26 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-16 12:42:13 +0100 (Fri, 16 Mar 2012)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esxi_init.nasl\");\n script_mandatory_keys(\"VMware/ESXi/LSC\",\"VMware/ESX/version\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://www.vmware.com/security/advisories/VMSA-2010-0018.html\");\n exit(0);\n}\n\ninclude(\"version_func.inc\"); # Used in _esxi_patch_missing()\ninclude(\"vmware_esx.inc\");\n\nif(!get_kb_item('VMware/ESXi/LSC'))exit(0);\nif(! esxVersion = get_kb_item(\"VMware/ESX/version\"))exit(0);\n\npatches = make_array(\"4.1.0\",\"ESXi410-201010402-BG\",\n \"4.0.0\",\"ESXi400-201009402-BG\");\n\nif(!patches[esxVersion])exit(0);\n\nif(_esxi_patch_missing(esxi_version:esxVersion, patch:patches[esxVersion])) {\n\n security_message(port:0);\n exit(0);\n\n}\n\nexit(99);\n\n\n\n\n\n\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-12-19T16:08:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-4295", "CVE-2010-4294", "CVE-2010-4297", "CVE-2010-4296"], "description": "The remote ESXi is missing one or more security related Updates from VMSA-2010-0018.", "modified": "2019-12-18T00:00:00", "published": "2012-03-16T00:00:00", "id": "OPENVAS:1361412562310103456", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103456", "type": "openvas", "title": "VMware ESXi/ESX patches resolve multiple security issues (VMSA-2010-0018)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple security issues\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103456\");\n script_cve_id(\"CVE-2010-4295\", \"CVE-2010-4296\", \"CVE-2010-4297\", \"CVE-2010-4294\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_version(\"2019-12-18T11:13:08+0000\");\n script_name(\"VMware ESXi/ESX patches resolve multiple security issues (VMSA-2010-0018)\");\n script_tag(name:\"last_modification\", value:\"2019-12-18 11:13:08 +0000 (Wed, 18 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2012-03-16 12:42:13 +0100 (Fri, 16 Mar 2012)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esxi_init.nasl\");\n script_mandatory_keys(\"VMware/ESXi/LSC\", \"VMware/ESX/version\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2010-0018.html\");\n\n script_tag(name:\"solution\", value:\"Apply the missing patch(es).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if the target host is missing one or more patch(es).\");\n\n script_tag(name:\"summary\", value:\"The remote ESXi is missing one or more security related Updates from VMSA-2010-0018.\");\n\n script_tag(name:\"affected\", value:\"ESXi 4.1 without patch ESXi410-201010402-BG or later\n\n ESXi 4.0 without patch ESXi400-201009402-BG or later\n\n ESXi 3.5 without patch ESXe350-201008402-T-BG or later\n\n ESX 4.1 without patch ESX410-201010405-BG\n\n ESX 4.0 without patch ESX400-201009401-SG\n\n ESX 3.5 without patch ESX350-201008409-BG\");\n\n script_tag(name:\"impact\", value:\"c. OS Command Injection in VMware Tools update\n\n The issue could allow a user on the host to execute commands on the guest operating system with root privileges.\n\n The issue can only be exploited if VMware Tools is not fully up-to-date. Windows-based virtual machines are not\n affected.\n\n d. VMware VMnc Codec frame decompression remote code execution\n\n An attacker can utilize this to miscalculate a destination pointer, leading to the corruption of a heap buffer,\n and could allow for execution of arbitrary code with the privileges of the user running an application utilizing\n the vulnerable codec.\n\n For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video\n file on a system that has the vulnerable version of the VMnc codec installed.\");\n\n script_tag(name:\"insight\", value:\"VMware hosted products and ESX patches resolve multiple security issues:\n\n a. VMware Workstation, Player and Fusion vmware-mount race condition\n\n The way temporary files are handled by the mounting process could result in a race condition. This\n issue could allow a local user on the host to elevate their privileges.\n\n VMware Workstation and Player running on Microsoft Windows are not affected.\n\n b. VMware Workstation, Player and Fusion vmware-mount privilege escalation vmware-mount which is a suid\n binary has a flaw in the way libraries are loaded. This issue could allow local users on the host to\n execute arbitrary shared object files with root privileges.\n\n VMware Workstation and Player running on Microsoft Windows are not affected.\n\n c. OS Command Injection in VMware Tools update\n\n A vulnerability in the input validation of VMware Tools update allows for injection of commands.\n\n d. VMware VMnc Codec frame decompression remote code execution\n\n The VMware movie decoder contains the VMnc media codec that is required to play back movies recorded with VMware\n Workstation, VMware Player and VMware ACE, in any compatible media player. The movie decoder is installed as part\n of VMware Workstation, VMware Player and VMware ACE, or can be downloaded as a stand alone package.\n\n A function in the decoder frame decompression routine implicitly trusts a size value.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"vmware_esx.inc\");\n\nif(!get_kb_item(\"VMware/ESXi/LSC\"))\n exit(0);\n\nif(!esxVersion = get_kb_item(\"VMware/ESX/version\"))\n exit(0);\n\npatches = make_array(\"4.1.0\", \"ESXi410-201010402-BG\",\n \"4.0.0\", \"ESXi400-201009402-BG\");\n\nif(!patches[esxVersion])\n exit(99);\n\nif(report = esxi_patch_missing(esxi_version:esxVersion, patch:patches[esxVersion])) {\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-10-18T13:57:32", "description": "The version of VMware Fusion installed on the Mac OS X host is earlier than 2.0.8. The VMware Tools update functionality in such versions allows host OS users to gain privileges on the guest OS via unspecified vectors, related to a 'command injection' issue.", "cvss3": {"score": null, "vector": null}, "published": "2010-12-08T00:00:00", "type": "nessus", "title": "VMware Fusion < 2.0.8 (VMSA-2010-0018)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4297"], "modified": "2019-09-24T00:00:00", "cpe": ["cpe:/a:vmware:fusion"], "id": "MACOSX_FUSION_2_0_8.NASL", "href": "https://www.tenable.com/plugins/nessus/51078", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51078);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/09/24 15:02:54\");\n\n script_cve_id(\"CVE-2010-4297\");\n script_bugtraq_id(45166);\n\n script_name(english:\"VMware Fusion < 2.0.8 (VMSA-2010-0018)\");\n script_summary(english:\"Checks version of Fusion\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote host has an application that is affected by a security\nissue.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of VMware Fusion installed on the Mac OS X host is\nearlier than 2.0.8. The VMware Tools update functionality in such\nversions allows host OS users to gain privileges on the guest OS via\nunspecified vectors, related to a 'command injection' issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2010/000112.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.vmware.com/security/advisories/VMSA-2010-0018.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.vmware.com/support/fusion2/doc/releasenotes_fusion_208.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to VMware Fusion 2.0.8 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/12/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/08\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:fusion\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_fusion_detect.nasl\");\n script_require_keys(\"MacOSX/Fusion/Version\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Fusion/Version\");\nfixed_version = \"2.0.8\";\n\nmajor = split(version, sep:'.', keep:FALSE);\nmajor = major[0];\n\nif (major == \"2\")\n{\n if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n {\n if (report_verbosity > 0)\n {\n report = \n '\\n Installed version : ' + version + \n '\\n Fixed version : ' + fixed_version + '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n }\n else exit(0, \"The host is not affected since VMware Fusion \"+version+\" is installed.\");\n}\nelse exit(0, \"The host is not affected since VMware Fusion \"+version+\" is installed and this plugin looks only at versions \"+major+\".x.\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:43:00", "description": "The remote VMware ESX / ESXi host is missing a security-related patch.\nIt is, therefore, affected by an unspecified flaw in the Tools update functionality due to improper validation of user-supplied input. A local attacker with host operating system access can exploit this flaw to gain root privileges on the guess operating system.", "cvss3": {"score": null, "vector": null}, "published": "2016-03-08T00:00:00", "type": "nessus", "title": "VMware ESX / ESXi Tools Update Privilege Escalation (VMSA-2010-0018) (remote check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4297"], "modified": "2021-01-06T00:00:00", "cpe": ["cpe:/o:vmware:esx", "cpe:/o:vmware:esxi"], "id": "VMWARE_VMSA-2010-0018_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/89744", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89744);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2010-4297\");\n script_bugtraq_id(45166);\n script_xref(name:\"VMSA\", value:\"2010-0018\");\n\n script_name(english:\"VMware ESX / ESXi Tools Update Privilege Escalation (VMSA-2010-0018) (remote check)\");\n script_summary(english:\"Checks the ESX / ESXi version and build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESX / ESXi host is missing a security-related patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware ESX / ESXi host is missing a security-related patch.\nIt is, therefore, affected by an unspecified flaw in the Tools update\nfunctionality due to improper validation of user-supplied input. A\nlocal attacker with host operating system access can exploit this flaw\nto gain root privileges on the guess operating system.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://lists.vmware.com/pipermail/security-announce/2010/000112.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch as referenced in the vendor advisory that\npertains to ESX version 3.5 / 4.0 / 4.1 or ESXi version 3.5 / 4.0 /\n4.1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/12/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Host/VMware/vsphere\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit(\"Host/VMware/version\");\nrel = get_kb_item_or_exit(\"Host/VMware/release\");\nport = get_kb_item_or_exit(\"Host/VMware/vsphere\");\nesx = '';\n\nif (\"ESX\" >!< rel)\n audit(AUDIT_OS_NOT, \"VMware ESX/ESXi\");\n\nextract = eregmatch(pattern:\"^(ESXi?) (\\d\\.\\d).*$\", string:ver);\nif (isnull(extract))\n audit(AUDIT_UNKNOWN_APP_VER, \"VMware ESX/ESXi\");\nelse\n{\n esx = extract[1];\n ver = extract[2];\n}\n\n# fixed build numbers are the same for ESX and ESXi\nfixes = make_array(\n \"3.5\", \"283373\",\n \"4.0\", \"294855\",\n \"4.1\", \"320092\"\n );\n\nfix = FALSE;\nfix = fixes[ver];\n\n# get the build before checking the fix for the most complete audit trail\nextract = eregmatch(pattern:'^VMware ESXi?.* build-([0-9]+)$', string:rel);\nif (isnull(extract))\n audit(AUDIT_UNKNOWN_BUILD, \"VMware \" + esx, ver);\n\nbuild = int(extract[1]);\n\n# if there is no fix in the array, fix is FALSE\nif (!fix)\n audit(AUDIT_INST_VER_NOT_VULN, \"VMware \" + esx, ver, build);\n\nif (build < fix)\n{\n report = '\\n Version : ' + esx + \" \" + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fix +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n exit(0);\n}\nelse\n audit(AUDIT_INST_VER_NOT_VULN, \"VMware \" + esx, ver, build);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:02:18", "description": "A VMware product (Player, Workstation, Server, or Movie Decoder) detected on the remote host has one or more of the following vulnerabilities :\n\n - A vulnerability in VMware Tools update could allow arbitrary code execution on non-Windows based guest operating systems with root privileges. (CVE-2010-4297)\n\n - A vulnerability in VMware VMnc Codec could allow arbitrary code execution subject to the privileges of the user running the application using the vulnerable codec. (CVE-2010-4294)\n\nIn addition to patching, VMware Tools must be manually updated on all guest VMs in order to completely mitigate certain vulnerabilities. Refer to the VMware advisory for more information.", "cvss3": {"score": null, "vector": null}, "published": "2010-12-07T00:00:00", "type": "nessus", "title": "VMware Products Multiple Vulnerabilities (VMSA-2010-0018)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4294", "CVE-2010-4297"], "modified": "2019-09-24T00:00:00", "cpe": ["cpe:/a:vmware:vmware_player", "cpe:/a:vmware:vmware_server", "cpe:/a:vmware:vmware_workstation"], "id": "VMWARE_MULTIPLE_VMSA_2010_0018.NASL", "href": "https://www.tenable.com/plugins/nessus/51057", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51057);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/09/24 15:02:54\");\n\n script_cve_id(\"CVE-2010-4294\",\"CVE-2010-4297\");\n script_bugtraq_id(45166, 45169);\n script_xref(name:\"VMSA\", value:\"2010-0018\");\n script_xref(name:\"Secunia\", value:\"42480\");\n script_xref(name:\"Secunia\", value:\"42481\");\n\n script_name(english:\"VMware Products Multiple Vulnerabilities (VMSA-2010-0018)\");\n script_summary(english:\"Checks vulnerable versions of VMware products\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote host has a virtualization application affected by multiple\nvulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A VMware product (Player, Workstation, Server, or Movie Decoder)\ndetected on the remote host has one or more of the following\nvulnerabilities :\n\n - A vulnerability in VMware Tools update could allow \n arbitrary code execution on non-Windows based guest \n operating systems with root privileges. (CVE-2010-4297)\n\n - A vulnerability in VMware VMnc Codec could allow \n arbitrary code execution subject to the privileges\n of the user running the application using the \n vulnerable codec. (CVE-2010-4294)\n\nIn addition to patching, VMware Tools must be manually updated on all\nguest VMs in order to completely mitigate certain vulnerabilities. \nRefer to the VMware advisory for more information.\"\n );\n script_set_attribute(attribute:\"see_also\",value:\"https://www.vmware.com/security/advisories/VMSA-2010-0018.html\");\n script_set_attribute(attribute:\"see_also\",value:\"http://dvlabs.tippingpoint.com/advisory/TPTI-10-16\");\n script_set_attribute(attribute:\"see_also\",value:\"http://lists.vmware.com/pipermail/security-announce/2010/000112.html\");\n\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to :\n\n - VMware Workstation 6.5.5 / 7.1.2 or later.\n - VMware Player 2.5.5 / 3.1.2 or later.\n - VMware Movie Decoder (standalone) 6.5.5/7.1.2 or later.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2010/12/02\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2010/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/07\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:vmware:vmware_player\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:vmware:vmware_server\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:vmware:vmware_workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"vmware_workstation_detect.nasl\", \"vmware_player_detect.nasl\", \"vmware_server_win_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\n\nport = kb_smb_transport();\nreport = '';\nvuln = NULL;\n\n# Check if Movie Decoder is installed\nlist = get_kb_list(\"SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName\");\n\ndecoder_installed = FALSE;\nforeach name (list)\n{\n if (name == 'VMware Movie Decoder')\n {\n decoder_installed = TRUE;\n break;\n }\n}\n\n# Check for VMware Workstation\nversion = get_kb_item(\"VMware/Workstation/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n\n if (\n ( int(v[0]) < 6 ) ||\n ( int(v[0]) == 6 && int(v[1]) < 5) ||\n ( int(v[0]) == 6 && int(v[1]) == 5 && int(v[2]) < 5)\n )\n {\n vuln = TRUE;\n\n report = \n '\\n Product : VMware Workstation'+\n '\\n Installed version : '+version+\n '\\n Fixed version : 6.5.5\\n';\n }\n else if (\n (int(v[0]) == 7 && int(v[1]) < 1 ) ||\n (int(v[0]) == 7 && int(v[1]) == 1 && int(v[2]) < 2)\n ) \n {\n vuln = TRUE;\n\n report =\n '\\n Product : VMware Workstation'+\n '\\n Installed version : '+version+\n '\\n Fixed version : 7.1.2\\n';\n }\n else if (isnull(vuln)) vuln = FALSE;\n}\nelse if (decoder_installed)\n{\n # If Workstation is not installed, check if the standalone Movie Decoder is\n # present and vulnerable\n if (!is_accessible_share()) exit(1, \"is_accessible_share() failed.\");\n\n if (\n (hotfix_is_vulnerable(file:\"vmnc.dll\", version:\"6.5.5\", dir:\"\\system32\")) || \n (hotfix_is_vulnerable(file:\"vmnc.dll\", version:\"7.1.2\", min_version:\"7.0.0\", dir:\"\\system32\"))\n )\n {\n vuln = TRUE;\n hf_report = split(hotfix_get_report(), sep:'\\n', keep:FALSE);\n report = '\\n Product : VMware Movie Decoder'+\n '\\n ' + hf_report[1]+\n '\\n ' + hf_report[2]+'\\n';\n }\n \n hotfix_check_fversion_end();\n}\n\nversion = get_kb_item(\"VMware/Server/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n # Flag all server versions <= 2\n if (int(v[0]) <= 2)\n {\n vuln = TRUE;\n\n report =\n '\\n Product : VMware Server'+\n '\\n Installed version : '+ version + \n '\\n Fixed version : no patches planned.\\n';\n } \n else if (isnull(vuln)) vuln = FALSE; \n}\n\n# Check for VMware Player\nversion = get_kb_item(\"VMware/Player/Version\");\nif (version)\n{\n v = split(version, sep:\".\", keep:FALSE);\n if (\n ( int(v[0]) < 2 ) ||\n ( int(v[0]) == 2 && int(v[1]) < 5 ) ||\n ( int(v[0]) == 2 && int(v[1]) == 5 && int(v[2]) < 5)\n )\n {\n vuln = TRUE;\n report +=\n '\\n Product : VMware Player'+\n '\\n Installed version : '+version+\n '\\n Fixed version : 2.5.5\\n';\n }\n else if ((int(v[0]) == 3 && int(v[1]) < 1) ||\n (int(v[0]) == 3 && int(v[1]) == 1 && int(v[2]) < 2)\n )\n {\n vuln = TRUE;\n report +=\n '\\n Product : VMware Player'+\n '\\n Installed version : '+version+\n '\\n Fixed version : 3.1.2\\n';\n }\n else if (isnull(vuln)) vuln = FALSE;\n}\n\nif (isnull(vuln)) exit(0, \"No VMware products were detected on this host.\");\nif (!vuln) exit(0, \"The host is not affected.\");\n\nif (report_verbosity > 0) security_hole(port:port, extra:report);\nelse security_hole();\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-18T13:57:32", "description": "The version of VMware Fusion installed on the Mac OS X host is earlier than 3.1.2. Such versions are affected by three security issues :\n\n - A race condition in the mounting process in vmware-mount in allows host OS users to gain privileges via vectors involving temporary files. (CVE-2010-4295)\n\n - The VMware Tools update functionality allows host OS users to gain privileges on the guest OS via unspecified vectors, related to a 'command injection' issue. (CVE-2010-4297) \n - vmware-mount does not properly load libraries, which allows host OS users to gain privileges via vectors involving shared object files. (CVE-2010-4296)", "cvss3": {"score": null, "vector": null}, "published": "2010-12-08T00:00:00", "type": "nessus", "title": "VMware Fusion < 3.1.2 (VMSA-2010-0018)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4295", "CVE-2010-4296", "CVE-2010-4297"], "modified": "2019-09-24T00:00:00", "cpe": ["cpe:/a:vmware:fusion"], "id": "MACOSX_FUSION_3_1_2.NASL", "href": "https://www.tenable.com/plugins/nessus/51079", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51079);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/09/24 15:02:54\");\n\n script_cve_id(\"CVE-2010-4295\", \"CVE-2010-4296\", \"CVE-2010-4297\");\n script_bugtraq_id(45167, 45166, 45168);\n\n script_name(english:\"VMware Fusion < 3.1.2 (VMSA-2010-0018)\");\n script_summary(english:\"Checks version of Fusion\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote host has an application that is affected by three security\nissues.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of VMware Fusion installed on the Mac OS X host is\nearlier than 3.1.2. Such versions are affected by three security\nissues :\n\n - A race condition in the mounting process in vmware-mount\n in allows host OS users to gain privileges via vectors \n involving temporary files. (CVE-2010-4295)\n\n - The VMware Tools update functionality allows host OS \n users to gain privileges on the guest OS via unspecified\n vectors, related to a 'command injection' issue. \n (CVE-2010-4297)\n \n - vmware-mount does not properly load libraries, which \n allows host OS users to gain privileges via vectors \n involving shared object files. (CVE-2010-4296)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.vmware.com/security/advisories/VMSA-2010-0018.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2010/000112.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to VMware Fusion 3.1.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/12/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/08\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:fusion\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_fusion_detect.nasl\");\n script_require_keys(\"MacOSX/Fusion/Version\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Fusion/Version\");\nfixed_version = \"3.1.2\";\n\nmajor = split(version, sep:'.', keep:FALSE);\nmajor = major[0];\n\nif(major == \"3\")\n{\n if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n {\n if (report_verbosity > 0)\n {\n report = \n '\\n Installed version : ' + version + \n '\\n Fixed version : ' + fixed_version + '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n }\n else exit(0, \"The host is not affected since VMware Fusion \"+version+\" is installed.\");\n}\nelse exit(0, \"The host is not affected since VMware Fusion \"+version+\" is installed and this plugin looks only at versions \"+major+\".x.\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:02:24", "description": "a. VMware Workstation, Player and Fusion vmware-mount race condition\n\n The way temporary files are handled by the mounting process could result in a race condition. This issue could allow a local user on the host to elevate their privileges.\n\n VMware Workstation and Player running on Microsoft Windows are not affected.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4295 to this issue.\n\n VMware would like to thank Dan Rosenberg for reporting this issue.\n\nb. VMware Workstation, Player and Fusion vmware-mount privilege escalation\n\n vmware-mount which is a suid binary has a flaw in the way libraries are loaded. This issue could allow local users on the host to execute arbitrary shared object files with root privileges.\n\n VMware Workstation and Player running on Microsoft Windows are not affected.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4296 to this issue.\n\n VMware would like to thank Martin Carpenter for reporting this issue.\n\nc. OS Command Injection in VMware Tools update\n\n A vulnerability in the input validation of VMware Tools update allows for injection of commands. The issue could allow a user on the host to execute commands on the guest operating system with root privileges.\n\n The issue can only be exploited if VMware Tools is not fully up-to-date. Windows-based virtual machines are not affected.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4297 to this issue.\n\n VMware would like to thank Nahuel Grisolia of Bonsai Information Security, http://www.bonsai-sec.com, for reporting this issue.\n\nd. VMware VMnc Codec frame decompression remote code execution\n\n The VMware movie decoder contains the VMnc media codec that is required to play back movies recorded with VMware Workstation, VMware Player and VMware ACE, in any compatible media player. The movie decoder is installed as part of VMware Workstation, VMware Player and VMware ACE, or can be downloaded as a stand alone package.\n\n A function in the decoder frame decompression routine implicitly trusts a size value. An attacker can utilize this to miscalculate a destination pointer, leading to the corruption of a heap buffer, and could allow for execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec.\n\n For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file on a system that has the vulnerable version of the VMnc codec installed.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4294 to this issue.\n\n VMware would like to thank Aaron Portnoy and Logan Brown of TippingPoint DVLabs for reporting this issue.", "cvss3": {"score": null, "vector": null}, "published": "2010-12-06T00:00:00", "type": "nessus", "title": "VMSA-2010-0018 : VMware hosted products and ESX patches resolve multiple security issues", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4294", "CVE-2010-4295", "CVE-2010-4296", "CVE-2010-4297"], "modified": "2021-01-06T00:00:00", "cpe": ["cpe:/o:vmware:esx:4.0"], "id": "VMWARE_VMSA-2010-0018.NASL", "href": "https://www.tenable.com/plugins/nessus/50985", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2010-0018. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(50985);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2010-4294\", \"CVE-2010-4295\", \"CVE-2010-4296\", \"CVE-2010-4297\");\n script_bugtraq_id(45167, 45168);\n script_xref(name:\"VMSA\", value:\"2010-0018\");\n\n script_name(english:\"VMSA-2010-0018 : VMware hosted products and ESX patches resolve multiple security issues\");\n script_summary(english:\"Checks esxupdate output for the patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote VMware ESX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"a. VMware Workstation, Player and Fusion vmware-mount race condition\n\n The way temporary files are handled by the mounting process could\n result in a race condition. This issue could allow a local user on\n the host to elevate their privileges.\n\n VMware Workstation and Player running on Microsoft Windows are not\n affected.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2010-4295 to this issue.\n\n VMware would like to thank Dan Rosenberg for reporting this issue.\n\nb. VMware Workstation, Player and Fusion vmware-mount privilege\n escalation\n\n vmware-mount which is a suid binary has a flaw in the way libraries\n are loaded. This issue could allow local users on the host to\n execute arbitrary shared object files with root privileges.\n\n VMware Workstation and Player running on Microsoft Windows are not\n affected.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2010-4296 to this issue.\n\n VMware would like to thank Martin Carpenter for reporting this\n issue.\n\nc. OS Command Injection in VMware Tools update\n\n A vulnerability in the input validation of VMware Tools update\n allows for injection of commands. The issue could allow a user\n on the host to execute commands on the guest operating system\n with root privileges.\n\n The issue can only be exploited if VMware Tools is not fully\n up-to-date. Windows-based virtual machines are not affected.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2010-4297 to this issue.\n\n VMware would like to thank Nahuel Grisolia of Bonsai Information\n Security, http://www.bonsai-sec.com, for reporting this issue.\n\nd. VMware VMnc Codec frame decompression remote code execution\n\n The VMware movie decoder contains the VMnc media codec that is\n required to play back movies recorded with VMware Workstation,\n VMware Player and VMware ACE, in any compatible media player. The\n movie decoder is installed as part of VMware Workstation, VMware\n Player and VMware ACE, or can be downloaded as a stand alone\n package.\n\n A function in the decoder frame decompression routine implicitly\n trusts a size value. An attacker can utilize this to miscalculate\n a destination pointer, leading to the corruption of a heap buffer,\n and could allow for execution of arbitrary code with the privileges\n of the user running an application utilizing the vulnerable codec.\n\n For an attack to be successful the user must be tricked into\n visiting a malicious web page or opening a malicious video file on\n a system that has the vulnerable version of the VMnc codec installed.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2010-4294 to this issue.\n\n VMware would like to thank Aaron Portnoy and Logan Brown of\n TippingPoint DVLabs for reporting this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2010/000112.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:4.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2010-12-02\");\nflag = 0;\n\n\nif (\n esx_check(\n ver : \"ESX 4.0\",\n patch : \"ESX400-201009401-SG\",\n patch_updates : make_list(\"ESX400-201101401-SG\", \"ESX400-201103401-SG\", \"ESX400-201104401-SG\", \"ESX400-201110401-SG\", \"ESX400-201111201-SG\", \"ESX400-201203401-SG\", \"ESX400-201205401-SG\", \"ESX400-201206401-SG\", \"ESX400-201209401-SG\", \"ESX400-201302401-SG\", \"ESX400-201305401-SG\", \"ESX400-201310401-SG\", \"ESX400-201404401-SG\", \"ESX400-Update03\", \"ESX400-Update04\")\n )\n) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:56", "description": "", "published": "2010-12-09T00:00:00", "type": "packetstorm", "title": "VMware Tools Update OS Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4297"], "modified": "2010-12-09T00:00:00", "id": "PACKETSTORM:96508", "href": "https://packetstormsecurity.com/files/96508/VMware-Tools-Update-OS-Command-Injection.html", "sourceData": "`VMware Tools update OS Command Injection \n======================================== \n \n1. Advisory Information \nAdvisory ID: BONSAI-2010-0110 \nDate published: Thu Dec 9, 2010 \nVendors contacted: VMware \nRelease mode: Coordinated release \n \n2. Vulnerability Information \nClass: Injection \nRemotely Exploitable: Yes \nLocally Exploitable: Yes \nCVE Name: CVE-2010-4297 \n \n3. Software Description \nVMware Tools is a suite of utilities that enhances the performance of \nthe virtual machine's guest operating system and improves management of \nthe virtual machine. Without VMware Tools installed in your guest \noperating system, guest performance lacks important functionality. \nInstalling VMware Tools eliminates or improves the following issues: \n \n* low video resolution \n* inadequate color depth \n* incorrect display of network speed \n* restricted movement of the mouse \n* inability to copy and paste and drag-and-drop files \n* missing sound \n \nVMware Tools includes these components: \n \n* VMware Tools service \n* VMware device drivers \n* VMware user process \n* VMware Tools control panel \n \nVMware Tools is provided in the following formats: \n \n* ISOs (contain .tar and .rpm files) \u2013 packaged with the product and \nare installed in a number of ways, depending upon the VMware product and \nthe guest operating system installed in the virtual machine. VMware \nTools provides a different ISO file for each type of supported guest \noperating system: Windows, Linux, NetWare, Solaris, and FreeBSD. \n* Operating System Specific Packages (OSPs) \u2013 downloaded and \ninstalled from the command line. VMware Tools is available as separate \ndownloadable, light-weight packages that are specific to each supported \nLinux operating system and VMware product. OSPs are an alternative to \nthe existing mechanism for installing VMware Tools and only support \nLinux systems running on ESX. \n \n4. Vulnerability Description \nInjection flaws, such as SQL, OS, and LDAP injection, occur when \nuntrusted data is sent to an interpreter as part of a command or query. \nThe attacker\u2019s hostile data can trick the interpreter into executing \nunintended commands or accessing unauthorized data. \n \n5. Vulnerable packages \nColumn 4 of the following table lists the action required to remediate \nthe vulnerability in each release, if a solution is available: \nVMWare Product Product Version Running On Replace with / Apply Patch \nVirtualCenter any Windows not affected \nWorkstation 7.X any 7.1.2 Build 301548 or later \nWorkstation 6.5.X any 6.5.5 Build 328052 or later \nPlayer 3.1.X any 3.1.2 Build 301548 or later \nPlayer 2.5.X any 2.5.5 Build 328052 or later \nAMS any any not affected \nServer 2.0.2 any affected, no patch planned \nFusion 3.1.X Mac OSX 3.1.2 Build 332101 \nFusion 2.X Mac OSX 2.0.8 Build 328035 \nESXi 4.1 ESXi ESXi410-201010402-BG \nESXi 4.0 ESXi ESXi400-201009402-BG \nESXi 3.5 ESXi ESXe350-201008402-T-BG ** \nESX 4.1 ESX ESX410-201010405-BG \nESX 4.0 ESX ESX400-201009401-SG \nESX 3.5 ESX ESX350-201008409-BG ** \nESX 3.0.3 ESX not affected \n \n* hosted products are VMware Workstation, Player, ACE, Fusion. \n** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only: \n- Install the relevant ESX patch. \n- Manually upgrade tools in the virtual machine (virtual machine \nusers will not be prompted to upgrade tools). Note the VI Client may \nnot show that the VMware tools is out of date in th summary tab. \nFull VMWare advisory could be found at: \nhttp://www.vmware.com/security/advisories/VMSA-2010-0018.html \n \n6. Non-vulnerable packages \nSee above table. \n \n7. Credits \nThis vulnerability was discovered by Nahuel Grisolia ( nahuel -at- \nbonsai-sec.com ). \n \n8. Technical Description \n8.1. OS Command Injection \u2013 PoC Example \nCVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) \nVMware Server Infrastructure Web Access is prone to remote command \nexecution vulnerability because the software fails to adequately \nsanitize user-supplied input. \nWhen Updating the VMTools on a certain Guest Virtual Machine, a command \ninjection attack can be executed if specially crafted parameters are sent. \nSuccessful attacks can compromise the affected Guest Virtual Machine \nwith root privileges. \nThe following proof of concept is given. It was exploited in a GNU/Linux \nGuest with VMware Tools installed but not fully updated: \nPOST /ui/sb HTTP/1.1 \n[\u2026] \nCookie: JSESSIONID=F78CCA7DD3CF4E2E82587B236660C9ED; user_name=vmuser; \nl=http%3A%2F%2Flocalhost%3A80%2Fsdk \n[\u2026] \n[{i:\"378\",exec:\"/cmd/vm\",args:[\"UpgradeTools_Task\",{_i:\"VirtualMachine|960\"},\"; \nINJECTED COMMAND HERE ;\"]}] \n \n \n9. Report Timeline \n\u2022 2010-04-24 / Vulnerabilities were identified \n\u2022 2010-04-29 \u2013 2010-12-02 / Multiple Contacts with Vendor \n\u2022 2010-12-09 / Vulnerability is Disclosed \u2013 PoC attached \n \n10. About Bonsai \nBonsai is a company involved in providing professional computer \ninformation security services. Currently a sound growth company, since \nits foundation in early 2009 in Buenos Aires, Argentina, we are fully \ncommitted to quality service and focused on our customers\u2019 real needs. \n \n11. Disclaimer \nThe contents of this advisory are copyright (c) 2010 Bonsai Information \nSecurity, and may be distributed freely provided that no fee is charged \nfor this distribution and proper credit is given. \n \n12. Research \nhttp://www.bonsai-sec.com/en/research/vulnerability.php \nhttp://www.bonsai-sec.com/en/research/vulnerabilities/vmware-tools-os-command-injection-0110.php \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/96508/BONSAI-2010-0110.txt"}], "cve": [{"lastseen": "2022-03-23T12:46:00", "description": "The VMware Tools update functionality in VMware Workstation 6.5.x before 6.5.5 build 328052 and 7.x before 7.1.2 build 301548; VMware Player 2.5.x before 2.5.5 build 328052 and 3.1.x before 3.1.2 build 301548; VMware Server 2.0.2; VMware Fusion 2.x before 2.0.8 build 328035 and 3.1.x before 3.1.2 build 332101; VMware ESXi 3.5, 4.0, and 4.1; and VMware ESX 3.0.3, 3.5, 4.0, and 4.1 allows host OS users to gain privileges on the guest OS via unspecified vectors, related to a \"command injection\" issue.", "cvss3": {}, "published": "2010-12-06T21:05:00", "type": "cve", "title": "CVE-2010-4297", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4297"], "modified": "2018-10-10T20:08:00", "cpe": ["cpe:/a:vmware:workstation:7.1.1", "cpe:/a:vmware:fusion:2.0.2", "cpe:/a:vmware:esx:4.0", "cpe:/a:vmware:player:3.1", "cpe:/a:vmware:fusion:2.0.3", "cpe:/a:vmware:fusion:2.0.1", "cpe:/a:vmware:fusion:2.0.8", "cpe:/a:vmware:player:2.5", "cpe:/a:vmware:fusion:2.0.4", "cpe:/a:vmware:esx:3.5", "cpe:/a:vmware:workstation:7.1", "cpe:/a:vmware:fusion:2.0.5", "cpe:/a:vmware:esxi:3.5", "cpe:/a:vmware:esxi:4.0", "cpe:/a:vmware:player:2.5.2", "cpe:/a:vmware:player:2.5.4", "cpe:/a:vmware:workstation:7.0", "cpe:/a:vmware:player:2.5.5", "cpe:/a:vmware:workstation:6.5.0", "cpe:/a:vmware:fusion:3.1.1", "cpe:/a:vmware:fusion:2.0.6", "cpe:/a:vmware:fusion:3.1.2", "cpe:/a:vmware:fusion:2.0", "cpe:/a:vmware:esx:4.1", "cpe:/a:vmware:player:3.1.1", "cpe:/a:vmware:player:2.5.1", "cpe:/a:vmware:esxi:4.1", "cpe:/a:vmware:player:2.5.3", "cpe:/a:vmware:workstation:7.0.1", "cpe:/a:vmware:fusion:2.0.7", "cpe:/a:vmware:workstation:6.5.3", "cpe:/a:vmware:workstation:6.5.2", "cpe:/a:vmware:workstation:6.5.5", "cpe:/a:vmware:workstation:6.5.1", "cpe:/a:vmware:fusion:3.1", "cpe:/a:vmware:player:3.1.2", "cpe:/a:vmware:workstation:7.1.2"], "id": "CVE-2010-4297", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4297", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vmware:workstation:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:esxi:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:esxi:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:6.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:7.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:6.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:6.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:6.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:esx:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:esx:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:2.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:2.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:esx:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:6.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:7.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:esxi:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:2.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:player:2.5.4:*:*:*:*:*:*:*"]}], "exploitpack": [{"lastseen": "2020-04-01T19:04:53", "description": "\nVMware Tools - Update OS Command Injection", "edition": 2, "published": "2010-12-09T00:00:00", "title": "VMware Tools - Update OS Command Injection", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4297"], "modified": "2010-12-09T00:00:00", "id": "EXPLOITPACK:56567B8BBB3D59AE8BC1A846E3EF33FA", "href": "", "sourceData": "VMware Tools update OS Command Injection\n========================================\n\n1. Advisory Information\nAdvisory ID: BONSAI-2010-0110\nDate published: Thu Dec 9, 2010\nVendors contacted: VMware\nRelease mode: Coordinated release\n\n2. Vulnerability Information\nClass: Injection\nRemotely Exploitable: Yes\nLocally Exploitable: Yes\nCVE Name: CVE-2010-4297\n\n3. Software Description\nVMware Tools is a suite of utilities that enhances the performance of\nthe virtual machine's guest operating system and improves management of\nthe virtual machine. Without VMware Tools installed in your guest\noperating system, guest performance lacks important functionality.\nInstalling VMware Tools eliminates or improves the following issues:\n\n * low video resolution\n * inadequate color depth\n * incorrect display of network speed\n * restricted movement of the mouse\n * inability to copy and paste and drag-and-drop files\n * missing sound\n\nVMware Tools includes these components:\n\n * VMware Tools service\n * VMware device drivers\n * VMware user process\n * VMware Tools control panel\n\nVMware Tools is provided in the following formats:\n\n * ISOs (contain .tar and .rpm files) \u2013 packaged with the product and\nare installed in a number of ways, depending upon the VMware product and\nthe guest operating system installed in the virtual machine. VMware\nTools provides a different ISO file for each type of supported guest\noperating system: Windows, Linux, NetWare, Solaris, and FreeBSD.\n * Operating System Specific Packages (OSPs) \u2013 downloaded and\ninstalled from the command line. VMware Tools is available as separate\ndownloadable, light-weight packages that are specific to each supported\nLinux operating system and VMware product. OSPs are an alternative to\nthe existing mechanism for installing VMware Tools and only support\nLinux systems running on ESX.\n\n4. Vulnerability Description\nInjection flaws, such as SQL, OS, and LDAP injection, occur when\nuntrusted data is sent to an interpreter as part of a command or query.\nThe attacker\u2019s hostile data can trick the interpreter into executing\nunintended commands or accessing unauthorized data.\n\n5. Vulnerable packages\nColumn 4 of the following table lists the action required to remediate\nthe vulnerability in each release, if a solution is available:\nVMWare Product\tProduct Version\tRunning On\tReplace with / Apply Patch\nVirtualCenter\tany\tWindows\tnot affected\nWorkstation\t7.X\tany\t7.1.2 Build 301548 or later\nWorkstation\t6.5.X\tany\t6.5.5 Build 328052 or later\nPlayer\t3.1.X\tany\t3.1.2 Build 301548 or later\nPlayer\t2.5.X\tany\t2.5.5 Build 328052 or later\nAMS\tany\tany\tnot affected\nServer\t2.0.2\tany\taffected, no patch planned\nFusion\t3.1.X\tMac OSX\t3.1.2 Build 332101\nFusion\t2.X\tMac OSX\t2.0.8 Build 328035\nESXi\t4.1\tESXi\tESXi410-201010402-BG\nESXi\t4.0\tESXi\tESXi400-201009402-BG\nESXi\t3.5\tESXi\tESXe350-201008402-T-BG **\nESX\t4.1\tESX\tESX410-201010405-BG\nESX\t4.0\tESX\tESX400-201009401-SG\nESX\t3.5\tESX\tESX350-201008409-BG **\nESX\t3.0.3\tESX\tnot affected\n\n * hosted products are VMware Workstation, Player, ACE, Fusion.\n ** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:\n - Install the relevant ESX patch.\n - Manually upgrade tools in the virtual machine (virtual machine\nusers will not be prompted to upgrade tools). Note the VI Client may\nnot show that the VMware tools is out of date in th summary tab.\nFull VMWare advisory could be found at:\nhttp://www.vmware.com/security/advisories/VMSA-2010-0018.html\n\n6. Non-vulnerable packages\nSee above table.\n\n7. Credits\nThis vulnerability was discovered by Nahuel Grisolia ( nahuel -at-\nbonsai-sec.com ).\n\n8. Technical Description\n8.1. OS Command Injection \u2013 PoC Example\nCVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)\nVMware Server Infrastructure Web Access is prone to remote command\nexecution vulnerability because the software fails to adequately\nsanitize user-supplied input.\nWhen Updating the VMTools on a certain Guest Virtual Machine, a command\ninjection attack can be executed if specially crafted parameters are sent.\nSuccessful attacks can compromise the affected Guest Virtual Machine\nwith root privileges.\nThe following proof of concept is given. It was exploited in a GNU/Linux\nGuest with VMware Tools installed but not fully updated:\nPOST /ui/sb HTTP/1.1\n[\u2026]\nCookie: JSESSIONID=F78CCA7DD3CF4E2E82587B236660C9ED; user_name=vmuser;\nl=http%3A%2F%2Flocalhost%3A80%2Fsdk\n[\u2026]\n[{i:\"378\",exec:\"/cmd/vm\",args:[\"UpgradeTools_Task\",{_i:\"VirtualMachine|960\"},\";\nINJECTED COMMAND HERE ;\"]}]\n\n\n9. Report Timeline\n\u2022 2010-04-24 / Vulnerabilities were identified\n\u2022 2010-04-29 \u2013 2010-12-02 / Multiple Contacts with Vendor\n\u2022 2010-12-09 / Vulnerability is Disclosed \u2013 PoC attached\n\n10. About Bonsai\nBonsai is a company involved in providing professional computer\ninformation security services. Currently a sound growth company, since\nits foundation in early 2009 in Buenos Aires, Argentina, we are fully\ncommitted to quality service and focused on our customers\u2019 real needs.\n\n11. Disclaimer\nThe contents of this advisory are copyright (c) 2010 Bonsai Information\nSecurity, and may be distributed freely provided that no fee is charged\nfor this distribution and proper credit is given.\n\n12. Research\nhttp://www.bonsai-sec.com/en/research/vulnerability.php\nhttp://www.bonsai-sec.com/en/research/vulnerabilities/vmware-tools-os-command-injection-0110.php", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-01-13T06:49:09", "description": "", "cvss3": {}, "published": "2010-12-09T00:00:00", "type": "exploitdb", "title": "VMware Tools - Update OS Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4297", "2010-4297"], "modified": "2010-12-09T00:00:00", "id": "EDB-ID:15717", "href": "https://www.exploit-db.com/exploits/15717", "sourceData": "VMware Tools update OS Command Injection\r\n========================================\r\n\r\n1. Advisory Information\r\nAdvisory ID: BONSAI-2010-0110\r\nDate published: Thu Dec 9, 2010\r\nVendors contacted: VMware\r\nRelease mode: Coordinated release\r\n\r\n2. Vulnerability Information\r\nClass: Injection\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: Yes\r\nCVE Name: CVE-2010-4297\r\n\r\n3. Software Description\r\nVMware Tools is a suite of utilities that enhances the performance of\r\nthe virtual machine's guest operating system and improves management of\r\nthe virtual machine. Without VMware Tools installed in your guest\r\noperating system, guest performance lacks important functionality.\r\nInstalling VMware Tools eliminates or improves the following issues:\r\n\r\n * low video resolution\r\n * inadequate color depth\r\n * incorrect display of network speed\r\n * restricted movement of the mouse\r\n * inability to copy and paste and drag-and-drop files\r\n * missing sound\r\n\r\nVMware Tools includes these components:\r\n\r\n * VMware Tools service\r\n * VMware device drivers\r\n * VMware user process\r\n * VMware Tools control panel\r\n\r\nVMware Tools is provided in the following formats:\r\n\r\n * ISOs (contain .tar and .rpm files) \u2013 packaged with the product and\r\nare installed in a number of ways, depending upon the VMware product and\r\nthe guest operating system installed in the virtual machine. VMware\r\nTools provides a different ISO file for each type of supported guest\r\noperating system: Windows, Linux, NetWare, Solaris, and FreeBSD.\r\n * Operating System Specific Packages (OSPs) \u2013 downloaded and\r\ninstalled from the command line. VMware Tools is available as separate\r\ndownloadable, light-weight packages that are specific to each supported\r\nLinux operating system and VMware product. OSPs are an alternative to\r\nthe existing mechanism for installing VMware Tools and only support\r\nLinux systems running on ESX.\r\n\r\n4. Vulnerability Description\r\nInjection flaws, such as SQL, OS, and LDAP injection, occur when\r\nuntrusted data is sent to an interpreter as part of a command or query.\r\nThe attacker\u2019s hostile data can trick the interpreter into executing\r\nunintended commands or accessing unauthorized data.\r\n\r\n5. Vulnerable packages\r\nColumn 4 of the following table lists the action required to remediate\r\nthe vulnerability in each release, if a solution is available:\r\nVMWare Product\tProduct Version\tRunning On\tReplace with / Apply Patch\r\nVirtualCenter\tany\tWindows\tnot affected\r\nWorkstation\t7.X\tany\t7.1.2 Build 301548 or later\r\nWorkstation\t6.5.X\tany\t6.5.5 Build 328052 or later\r\nPlayer\t3.1.X\tany\t3.1.2 Build 301548 or later\r\nPlayer\t2.5.X\tany\t2.5.5 Build 328052 or later\r\nAMS\tany\tany\tnot affected\r\nServer\t2.0.2\tany\taffected, no patch planned\r\nFusion\t3.1.X\tMac OSX\t3.1.2 Build 332101\r\nFusion\t2.X\tMac OSX\t2.0.8 Build 328035\r\nESXi\t4.1\tESXi\tESXi410-201010402-BG\r\nESXi\t4.0\tESXi\tESXi400-201009402-BG\r\nESXi\t3.5\tESXi\tESXe350-201008402-T-BG **\r\nESX\t4.1\tESX\tESX410-201010405-BG\r\nESX\t4.0\tESX\tESX400-201009401-SG\r\nESX\t3.5\tESX\tESX350-201008409-BG **\r\nESX\t3.0.3\tESX\tnot affected\r\n\r\n * hosted products are VMware Workstation, Player, ACE, Fusion.\r\n ** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:\r\n - Install the relevant ESX patch.\r\n - Manually upgrade tools in the virtual machine (virtual machine\r\nusers will not be prompted to upgrade tools). Note the VI Client may\r\nnot show that the VMware tools is out of date in th summary tab.\r\nFull VMWare advisory could be found at:\r\nhttp://www.vmware.com/security/advisories/VMSA-2010-0018.html\r\n\r\n6. Non-vulnerable packages\r\nSee above table.\r\n\r\n7. Credits\r\nThis vulnerability was discovered by Nahuel Grisolia ( nahuel -at-\r\nbonsai-sec.com ).\r\n\r\n8. Technical Description\r\n8.1. OS Command Injection \u2013 PoC Example\r\nCVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)\r\nVMware Server Infrastructure Web Access is prone to remote command\r\nexecution vulnerability because the software fails to adequately\r\nsanitize user-supplied input.\r\nWhen Updating the VMTools on a certain Guest Virtual Machine, a command\r\ninjection attack can be executed if specially crafted parameters are sent.\r\nSuccessful attacks can compromise the affected Guest Virtual Machine\r\nwith root privileges.\r\nThe following proof of concept is given. It was exploited in a GNU/Linux\r\nGuest with VMware Tools installed but not fully updated:\r\nPOST /ui/sb HTTP/1.1\r\n[\u2026]\r\nCookie: JSESSIONID=F78CCA7DD3CF4E2E82587B236660C9ED; user_name=vmuser;\r\nl=http%3A%2F%2Flocalhost%3A80%2Fsdk\r\n[\u2026]\r\n[{i:\"378\",exec:\"/cmd/vm\",args:[\"UpgradeTools_Task\",{_i:\"VirtualMachine|960\"},\";\r\nINJECTED COMMAND HERE ;\"]}]\r\n\r\n\r\n9. Report Timeline\r\n\u2022 2010-04-24 / Vulnerabilities were identified\r\n\u2022 2010-04-29 \u2013 2010-12-02 / Multiple Contacts with Vendor\r\n\u2022 2010-12-09 / Vulnerability is Disclosed \u2013 PoC attached\r\n\r\n10. About Bonsai\r\nBonsai is a company involved in providing professional computer\r\ninformation security services. Currently a sound growth company, since\r\nits foundation in early 2009 in Buenos Aires, Argentina, we are fully\r\ncommitted to quality service and focused on our customers\u2019 real needs.\r\n\r\n11. Disclaimer\r\nThe contents of this advisory are copyright (c) 2010 Bonsai Information\r\nSecurity, and may be distributed freely provided that no fee is charged\r\nfor this distribution and proper credit is given.\r\n\r\n12. Research\r\nhttp://www.bonsai-sec.com/en/research/vulnerability.php\r\nhttp://www.bonsai-sec.com/en/research/vulnerabilities/vmware-tools-os-command-injection-0110.php", "sourceHref": "https://www.exploit-db.com/download/15717", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:38", "bulletinFamily": "software", "cvelist": ["CVE-2010-4295", "CVE-2010-4294", "CVE-2010-4297", "CVE-2010-4296"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2010-0018\r\nSynopsis: VMware hosted products and ESX patches resolve\r\n multiple security issues\r\nIssue date: 2010-12-02\r\nUpdated on: 2010-12-02 (initial release of advisory)\r\nCVE numbers: CVE-2010-4295 CVE-2010-4296 CVE-2010-4297\r\n CVE-2010-4294\r\n- ------------------------------------------------------------------------\r\n\r\n1. Summary\r\n\r\n VMware hosted products and ESX patches resolve multiple security\r\n issues.\r\n\r\n2. Relevant releases\r\n\r\n VMware Workstation 7.1.1 and earlier,\r\n VMware Workstation 6.5.4 and earlier,\r\n VMware Player 3.1.1 and earlier,\r\n VMware Player 2.5.4 and earlier,\r\n\r\n VMware Fusion 3.1.1 and earlier,\r\n\r\n ESXi 4.1 without patch ESXi410-201010402-BG or later\r\n ESXi 4.0 without patch ESXi400-201009402-BG or later\r\n ESXi 3.5 without patch ESXe350-201008402-T-BG or later\r\n\r\n ESX 4.1 without patch ESX410-201010405-BG\r\n ESX 4.0 without patch ESX400-201009401-SG\r\n ESX 3.5 without patch ESX350-201008409-BG\r\n\r\n Note: VMware Server was declared End Of Availability on January 2010,\r\n support will be limited to Technical Guidance for the duration\r\n of the support term.\r\n\r\n3. Problem Description\r\n\r\n a. VMware Workstation, Player and Fusion vmware-mount race condition\r\n\r\n The way temporary files are handled by the mounting process could\r\n result in a race condition. This issue could allow a local user on\r\n the host to elevate their privileges.\r\n\r\n VMware Workstation and Player running on Microsoft Windows are not\r\n affected.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2010-4295 to this issue.\r\n\r\n VMware would like to thank Dan Rosenberg for reporting this issue.\r\n\r\n The following table lists what action remediates the vulnerability\r\n (column 4) if a solution is available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 7.x Linux 7.1.2 Build 301548 or later\r\n Workstation 7.x Windows not affected\r\n Workstation 6.5.x any not affected\r\n\r\n Player 3.1.x Linux 3.1.2 Build 301548 or later\r\n Player 3.1.x Windows not affected\r\n Player 2.5.x any not affected\r\n\r\n AMS any any not affected\r\n\r\n Server 2.0.2 Linux affected, no patch planned\r\n Server 2.0.2 Windows not affected\r\n\r\n Fusion 3.1.x Mac OS/X 3.1.2 Build 332101 or later\r\n Fusion 2.x Mac OS/X not affected\r\n\r\n ESXi any ESXi not affected\r\n\r\n ESX any ESX not affected\r\n\r\n\r\n b. VMware Workstation, Player and Fusion vmware-mount privilege\r\n escalation\r\n\r\n vmware-mount which is a suid binary has a flaw in the way libraries\r\n are loaded. This issue could allow local users on the host to\r\n execute arbitrary shared object files with root privileges.\r\n\r\n VMware Workstation and Player running on Microsoft Windows are not\r\n affected.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2010-4296 to this issue.\r\n\r\n VMware would like to thank Martin Carpenter for reporting this\r\n issue.\r\n\r\n The following table lists what action remediates the vulnerability\r\n (column 4) if a solution is available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 7.x Linux 7.1.2 Build 301548 or later\r\n Workstation 7.x Windows not affected\r\n Workstation 6.5.x any not affected\r\n\r\n Player 3.1.x Linux 3.1.2 Build 301548 or later\r\n Player 3.1.x Windows not affected\r\n Player 2.5.x any not affected\r\n\r\n AMS any any not affected\r\n\r\n Server 2.0.2 Linux affected, no patch planned\r\n Server 2.0.2 Windows not affected\r\n\r\n Fusion 3.1.x Mac OS/X 3.1.2 Build 332101\r\n Fusion 2.x Mac OS/X not affected\r\n\r\n ESXi any ESXi not affected\r\n\r\n ESX any ESX not affected\r\n\r\n\r\n c. OS Command Injection in VMware Tools update\r\n\r\n A vulnerability in the input validation of VMware Tools update\r\n allows for injection of commands. The issue could allow a user\r\n on the host to execute commands on the guest operating system\r\n with root privileges.\r\n\r\n The issue can only be exploited if VMware Tools is not fully\r\n up-to-date. Windows-based virtual machines are not affected.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2010-4297 to this issue.\r\n\r\n VMware would like to thank Nahuel Grisolia of Bonsai Information\r\n Security, http://www.bonsai-sec.com, for reporting this issue.\r\n\r\n Column 4 of the following table lists the action required to\r\n remediate the vulnerability in each release, if a solution is\r\n available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 7.x any 7.1.2 Build 301548 or later\r\n Workstation 6.5.x any 6.5.5 Build 328052 or later\r\n\r\n Player 3.1.x any 3.1.2 Build 301548 or later\r\n Player 2.5.x any 2.5.5 Build 328052 or later\r\n\r\n AMS any any not affected\r\n\r\n Server 2.0.2 any affected, no patch planned\r\n\r\n Fusion 3.1.x Mac OS/X 3.1.2 Build 332101\r\n Fusion 2.x Mac OS/X 2.0.8 Build 328035\r\n\r\n ESXi 4.1 ESXi ESXi410-201010402-BG\r\n ESXi 4.0 ESXi ESXi400-201009402-BG\r\n ESXi 3.5 ESXi ESXe350-201008402-T-BG **\r\n\r\n ESX 4.1 ESX ESX410-201010405-BG\r\n ESX 4.0 ESX ESX400-201009401-SG\r\n ESX 3.5 ESX ESX350-201008409-BG **\r\n ESX 3.0.3 ESX not affected\r\n\r\n * hosted products are VMware Workstation, Player, ACE, Fusion.\r\n ** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:\r\n - Install the relevant ESX patch.\r\n - Manually upgrade tools in the virtual machine (virtual machine\r\n users will not be prompted to upgrade tools). Note the VI\r\n Client may not show that the VMware tools is out of date in the\r\n summary tab.\r\n\r\n d. VMware VMnc Codec frame decompression remote code execution\r\n\r\n The VMware movie decoder contains the VMnc media codec that is\r\n required to play back movies recorded with VMware Workstation,\r\n VMware Player and VMware ACE, in any compatible media player. The\r\n movie decoder is installed as part of VMware Workstation, VMware\r\n Player and VMware ACE, or can be downloaded as a stand alone\r\n package.\r\n\r\n A function in the decoder frame decompression routine implicitly\r\n trusts a size value. An attacker can utilize this to miscalculate\r\n a destination pointer, leading to the corruption of a heap buffer,\r\n and could allow for execution of arbitrary code with the privileges\r\n of the user running an application utilizing the vulnerable codec.\r\n\r\n For an attack to be successful the user must be tricked into\r\n visiting a malicious web page or opening a malicious video file on\r\n a system that has the vulnerable version of the VMnc codec installed.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2010-4294 to this issue.\r\n\r\n VMware would like to thank Aaron Portnoy and Logan Brown of\r\n TippingPoint DVLabs for reporting this issue.\r\n\r\n Column 4 of the following table lists the action required to\r\n remediate the vulnerability in each release, if a solution is\r\n available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Movie Decoder any Windows 7.1.2 Build 301548 or later\r\n Movie Decoder any Windows 6.5.5 Build 328052 or later\r\n\r\n Workstation 7.x Windows 7.1.2 Build 301548 or later\r\n Workstation 7.x Linux not affected\r\n Workstation 6.5.x Windows 6.5.5 build 328052 or later\r\n Workstation 6.5.x Linux not affected\r\n\r\n Player 3.x Windows 3.1.2 Build 301548 or later\r\n Player 3.x Linux not affected\r\n Player 2.5.x Windows 2.5.5 build 246459 or later\r\n Player 2.5.x Linux not affected\r\n\r\n AMS any any not affected\r\n\r\n Server 2.x Window affected, no patch planned\r\n Server 2.x Linux not affected\r\n\r\n Fusion any Mac OS/X not affected\r\n\r\n ESXi any ESXi not affected\r\n\r\n ESX any ESX not affected\r\n\r\n4. Solution\r\n Please review the patch/release notes for your product and version\r\n and verify the md5sum and/or the sha1sum of your downloaded file.\r\n\r\n VMware Workstation Movie Decoder\r\n --------------------------------\r\n Workstation 7.1.2 Movie Decoder\r\n md5sum: a4d761a21670c735d04abb89e674656e\r\n sha1sum: b66673c30f3b8b8fb18035d08a6255f478be875d\r\n\r\n Workstation 6.5.5 Movie Decoder build 328052\r\n md5sum: 1223bb57d97df39259be2c6c90a65ba6\r\n sha1sum: 3ae7cdeeeebf6a716ec73f934077545945474ff6\r\n\r\n\r\n VMware Workstation 7.1.3\r\n ------------------------\r\n http://www.vmware.com/download/ws/\r\n Release notes:\r\n http://downloads.vmware.com/support/ws71/doc/releasenotes_ws713.html\r\n\r\n Workstation for Windows 32-bit and 64-bit with VMware Tools\r\n md5sum: 7b9dc01bf733047a00711f5800df6107\r\n sha1sum: 5f36117c64455f3dff3b7410a0bfc72e41905181\r\n\r\n Workstation for Windows 32-bit and 64-bit without VMware Tools\r\n md5sum: d102006f7a3951dd58325f5b4e151abe\r\n sha1sum: ccfd70278d3c89b38776d656fa797ca8e9b28d55\r\n\r\n Workstation 6.5.5\r\n -----------------\r\n http://www.vmware.com/download/ws/\r\n Release notes:\r\n http://downloads.vmware.com/support/ws65/doc/releasenotes_ws655.html\r\n\r\n Workstation for Windows 32-bit and 64-bit\r\n md5sum: 7bff9b621529efb0de808a45e7821274\r\n sha1sum: 41af7a9a78717cb85dd30b4d830e99fd5de49cc1\r\n\r\n Workstation for Linux 32-bit\t(rpm)\r\n md5sum: 17c3f1a0e6ccf2b1e224a5d75c845a47\r\n sha1sum: 3027b4e2215fae84fa9311f8cd762fee17e89df0\r\n\r\n Workstation for Linux 32-bit\t(bundle)\r\n md5sum: 7c24811fb999204f144d8b9f50e9fcae\r\n sha1sum: 18a05e6f4f772b7f0563dbd17596b66d1db8e9fa\r\n\r\n Workstation for Linux 64-bit\t(rpm)\r\n md5sum: c25c2535d8091c4d46701ed081347901\r\n sha1sum: f4356bc224ea9805dac2d4b677f88a2f4220353e\r\n\r\n Workstation for Linux 64-bit\t(bundle)\r\n md5sum: 7012bdaf182d256672ff2eb24b00a40f\r\n sha1sum: 58ecb2a494d4c7cc663e2028cf76c13d458fecac\r\n\r\n VMware Player 3.1.3\r\n -------------------\r\n http://www.vmware.com/download/player/\r\n Release notes:\r\n\r\nhttp://downloads.vmware.com/support/player31/doc/releasenotes_player313.html\r\n\r\n VMware Player for Windows 32-bit and 64-bit \r\n md5sum: bd66a0ab8ae87d5cfa32b8ff44f99d1f\r\n sha1sum: 8ab358efc97a64639cce83766c35d43b0d662132\r\n\r\n VMware Player for Linux 32-bit (bundle)\r\n md5sum: e5d0bf19a1908262f63a8f88df77f73e\r\n sha1sum: 4abb87d37706c47a86337ada1d23d390455e4931\r\n\r\n VMware Player for Linux 64-bit (bundle)\r\n md5sum: 18e6aae025ee2ef9f10ce6d9271ce472\r\n sha1sum: 6608bce64811be4480e667726aefefdc2b71e4e3\r\n\r\n VMware Player 2.5.5\r\n -------------------\r\n VMware Player 2.5.5 for Windows 32-bit and 64-bit\r\n md5sum: 780b2c4e2b1610dea3090b1cd81d5ad7\r\n sha1sum: f6c451a11a4fe66e5a465de960de1358e83b8314\r\n\r\n VMware Player 2.5.5 for Linux 32-bit (rpm)\r\n md5sum: 9e13ee3904bd2377ffb8cfa66460fe92\r\n sha1sum: 2482acad19f6b23cf0c236d1ce87d4805b7b0e6c \r\n\r\n VMware Player 2.5.5 for Linux 32-bit (bundle)\r\n MD5SUM: 46dcfe9343f688d60e249d9e9c3853a4\r\n SHA1SUM: abfdeaf2cac83c630662607e7b95439367376abf \r\n\r\n VMware Player 2.5.5 for Linux 64-bit (rpm)\r\n MD5SUM: 52d6dcdeed9e564c8cfe8c35cec885f0\r\n SHA1SUM: dbaa6dac55f592b9c6b16d7505796a2580836f4b \r\n\r\n VMware Player 2.5.5 for Linux 64-bit (bundle)\r\n md5sum: 6c9a677820010ccd20f829cb5d2c057b\r\n sha1sum: ff6eccba3125229e8adbc1cb96764c2f116d89c5 \r\n\r\n VMware Fusion\r\n -------------\r\n\r\n VMware Fusion 3.1.2 build 332101\r\n md5sum: a809170c9bd55a102c007c20269c4729\r\n sha1sum: bf56e0f873d8e0d67fd73fba5e597e0931083e03 \r\n\r\n VMware Fusion Lite 3.1.2 build 332101\r\n md5sum: d7db517cb25320152723f8535c90dd16\r\n sha1sum: 555d9bd03327731270acfc851ba15b28ef3f6720\r\n\r\n VMware Fusion 2.0.8 (for Intel-based Macs)\r\n md5sum: 9951d3b7985c39c685d59eaa73fe267c\r\n sha1sum: 11463924b5a7f82161090416905774da45e1cd3e \r\n\r\n VMware Fusion Lite 2.0.8 (for Intel-based Macs)\r\n md5sum: 0bee2ef0d0e9e543b2468ed9618e32c8\r\n sha1sum: fa56bb7ea3493d07610051f92b9941305a436a2f\r\n\r\n ESXi 4.1\r\n --------\r\n ESXi410-201010001\r\n Download link:\r\nhttps://hostupdate.vmware.com/software/VUM/OFFLINE/release-251-20101108-239087/ESXi410-201010001.zip\r\n md5sum: 05f1049c7a595481cd682e92fe8d3285\r\n sha1sum: f6993c185f7d1cb971a4ae6e017e0246b8c25a76\r\n http://kb.vmware.com/kb/1027753\r\n\r\n Note ESXi410-201010001 contains the following security fix:\r\nESXi410-201010402-BG\r\n\r\n ESXi 4.0\r\n --------\r\n ESXi400-201009001\r\n Download link:\r\nhttps://hostupdate.vmware.com/software/VUM/OFFLINE/release-241-20100919-436526/ESXi400-201009001.zip\r\n md5sum: bfc1b78f14d970c556b828492f5920e1\r\n sha1sum: a311a4af41aa1202bb6b156694bbc045c67df91a\r\n http://kb.vmware.com/kb/1025322\r\n\r\n Note ESXi400-201009001 contains the following security fix:\r\nESXi400-201009402-BG\r\n\r\n ESXi 3.5\r\n --------\r\n ESXe350-201008401-O-SG\r\n http://download3.vmware.com/software/vi/ESXe350-201008401-O-SG.zip\r\n md5sum:a2bb0afbc677ba847bedecb44dbdd4b3\r\n http://kb.vmware.com/kb/1026139\r\n\r\n Note ESXe350-201008401-O-SG contains the following security fix:\r\nESXe350-201008402-T-BG\r\n\r\n ESX 4.1\r\n -------\r\n ESX410-201010001\r\n\r\nhttps://hostupdate.vmware.com/software/VUM/OFFLINE/release-252-20101109-182791/ESX410-201010001.zip\r\n md5sum: ff4435fd3c74764f064e047c6e5e7809\r\n sha1sum:322981f4dbb9e5913c8f38684369444ff7e265b3\r\n http://kb.vmware.com/kb/1027027\r\n\r\n ESX410-201010001 contains the following security fix: ESX410-201010405-BG\r\n\r\n ESX 4.0\r\n -------\r\n ESX400-201009001\r\n\r\nhttps://hostupdate.vmware.com/software/VUM/OFFLINE/release-240-20100919-359479/ESX400-201009001.zip\r\n md5sum: 988c593b7a7abf0be5b72970ac64a369\r\n sha1sum: 26d875955b01c19f4e56703216e135257c08836f\r\n http://kb.vmware.com/kb/1025321\r\n\r\n ESX400-201009001 contains the following security fix: ESX400-201009401-SG\r\n\r\n ESX 3.5\r\n -------\r\n ESX350-201008409-BG\r\n http://download3.vmware.com/software/vi/ESX350-201008409-BG.zip\r\n md5sum: f2c4a4a53695057de25f095029d713fb\r\n http://kb.vmware.com/kb/1026133\r\n\r\n5. References\r\n\r\n CVE numbers\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4295\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4296\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4297\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4294\r\n\r\n- ------------------------------------------------------------------------\r\n\r\n6. Change log\r\n\r\n2010-12-02 VMSA-2010-0018\r\nInitial security advisory after release of Workstation 6.5.5,\r\nPlayer 2.5.5, Fusion 2.0.8 and Fusion 3.1.2 on 2010-12-02, ESX patches\r\nand Workstation 7.1.2 and 7.1.3 were released previously.\r\n\r\n- -----------------------------------------------------------------------\r\n7. Contact\r\n\r\nE-mail list for product security notifications and announcements:\r\nhttp://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce\r\n\r\nThis Security Advisory is posted to the following lists:\r\n\r\n * security-announce at lists.vmware.com\r\n * bugtraq at securityfocus.com\r\n * full-disclosure at lists.grok.org.uk\r\n\r\nE-mail: security at vmware.com\r\nPGP key at: http://kb.vmware.com/kb/1055\r\n\r\nVMware Security Center\r\nhttp://www.vmware.com/security\r\n\r\nVMware Security Advisories\r\nhttp://www.vmware.com/security/advisories\r\n\r\nVMware security response policy\r\nhttp://www.vmware.com/support/policies/security_response.html\r\n\r\nGeneral support life cycle policy\r\nhttp://www.vmware.com/support/policies/eos.html\r\n\r\nVMware Infrastructure support life cycle policy\r\nhttp://www.vmware.com/support/policies/eos_vi.html\r\n\r\nCopyright 2010 VMware Inc. All rights reserved.\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (MingW32)\r\n\r\niEYEARECAAYFAkz4lXgACgkQS2KysvBH1xn0qgCeO9eTk2xMbdx3Ssr24lCYzlUC\r\njXoAnjxrD5t4JyuWQftQ9ciZSDpIeZzg\r\n=TEE9\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2010-12-06T00:00:00", "published": "2010-12-06T00:00:00", "id": "SECURITYVULNS:DOC:25249", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25249", "title": "VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple security issues", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:15:25", "bulletinFamily": "software", "cvelist": ["CVE-2010-4295", "CVE-2010-4294", "CVE-2010-4297", "CVE-2010-4296"], "description": "Privilege escalation, code execution.", "edition": 2, "modified": "2010-12-10T00:00:00", "published": "2010-12-10T00:00:00", "id": "SECURITYVULNS:VULN:11282", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11282", "title": "VMWare application multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "vmware": [{"lastseen": "2022-06-19T20:02:55", "description": "a. VMware Workstation, Player and Fusion vmware-mount race condition\n\nThe way temporary files are handled by the mounting process could result in a race condition. This issue could allow a local user on the host to elevate their privileges. VMware Workstation and Player running on Microsoft Windows are not affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4295 to this issue . VMware would like to thank Dan Rosenberg for reporting this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available.", "cvss3": {}, "published": "2010-12-02T00:00:00", "type": "vmware", "title": "VMware hosted products and ESX patches resolve multiple security issues", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4294", "CVE-2010-4295", "CVE-2010-4296", "CVE-2010-4297"], "modified": "2010-12-02T00:00:00", "id": "VMSA-2010-0018", "href": "https://www.vmware.com/security/advisories/VMSA-2010-0018.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}

Bonsai Information Security - VMware Tools update OS Command Injection

Description

Related