Detections
Analytics

GLSA-200711-23 : VMware Workstation and Player: Multiple vulnerabilities

critical Nessus Plugin ID 28262

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200711-23 (VMware Workstation and Player: Multiple vulnerabilities)

 Multiple vulnerabilities have been discovered in several VMware products. Neel Mehta and Ryan Smith (IBM ISS X-Force) discovered that the DHCP server contains an integer overflow vulnerability (CVE-2007-0062), an integer underflow vulnerability (CVE-2007-0063) and another error when handling malformed packets (CVE-2007-0061), leading to stack-based buffer overflows or stack corruption. Rafal Wojtczvk (McAfee) discovered two unspecified errors that allow authenticated users with administrative or login privileges on a guest operating system to corrupt memory or cause a Denial of Service (CVE-2007-4496, CVE-2007-4497). Another unspecified vulnerability related to untrusted virtual machine images was discovered (CVE-2007-5617).
 VMware products also shipped code copies of software with several vulnerabilities: Samba (GLSA-200705-15), BIND (GLSA-200702-06), MIT Kerberos 5 (GLSA-200707-11), Vixie Cron (GLSA-200704-11), shadow (GLSA-200606-02), OpenLDAP (CVE-2006-4600), PAM (CVE-2004-0813, CVE-2007-1716), GCC (CVE-2006-3619) and GDB (CVE-2006-4146).
 Impact :

 Remote attackers within a guest system could possibly exploit these vulnerabilities to execute code on the host system with elevated privileges or to cause a Denial of Service.
 Workaround :

 There is no known workaround at this time.

Solution

All VMware Workstation users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=app-emulation/vmware-workstation-5.5.5.56455' All VMware Player users should upgrade to the latest version:
 # emerge --sync # emerge --ask --oneshot --verbose '>=app-emulation/vmware-player-1.0.5.56455'

See Also

https://security.gentoo.org/glsa/200606-02

https://security.gentoo.org/glsa/200702-06

https://security.gentoo.org/glsa/200704-11

https://security.gentoo.org/glsa/200705-15

https://security.gentoo.org/glsa/200707-11

http://lists.vmware.com/pipermail/security-announce/2007/000001.html

https://security.gentoo.org/glsa/200711-23

Plugin Details

Severity: Critical

ID: 28262

File Name: gentoo_GLSA-200711-23.nasl

Version: 1.26

Type: local

Published: 11/20/2007

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:vmware-player, p-cpe:/a:gentoo:linux:vmware-workstation, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/18/2007

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2004-0813, CVE-2006-3619, CVE-2006-4146, CVE-2006-4600, CVE-2007-0061, CVE-2007-0062, CVE-2007-0063, CVE-2007-1716, CVE-2007-4496, CVE-2007-4497, CVE-2007-5617

CWE: 119, 189, 264, 399

GLSA: 200711-23