VMSA-2008-0001 : Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages

This script is Copyright (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

The remote VMware ESX host is missing one or more security-related
patches.

Description :

I Service Console package security updates

a. OpenPegasus PAM Authentication Buffer Overflow

Alexander Sotirov from VMware Security Research discovered a
buffer overflow vulnerability in the OpenPegasus Management server.
This flaw could be exploited by a malicious remote user on the
service console network to gain root access to the service console.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-5360 to this issue.

b. Updated Samba package

An issue where attackers on the service console management
network can cause a stack-based buffer overflow in the
reply_netbios_packet function of nmbd in Samba. On systems
where Samba is being used as a WINS server, exploiting this
vulnerability can allow remote attackers to execute arbitrary
code via crafted WINS Name Registration requests followed by a
WINS Name Query request.

An issue where attackers on the service console management
network can exploit a vulnerability that occurs when Samba is
configured as a Primary or Backup Domain controller. The
vulnerability allows remote attackers to have an unknown impact
via crafted GETDC mailslot requests, related to handling of
GETDC logon server requests.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-5398 and CVE-2007-4572 to these
issues.

Note: By default Samba is not configured as a WINS server or a domain
controller and ESX is not vulnerable unless the administrator
has changed the default configuration.

This vulnerability can be exploited remotely only if the
attacker has access to the service console network.

Security best practices provided by VMware recommend that the
service console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.

c. Updated util-linux package

The patch addresses an issue where the mount and umount
utilities in util-linux call the setuid and setgid functions in
the wrong order and do not check the return values, which could
allow attackers to gain elevated privileges via helper
application such as mount.nfs.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-5191 to this issue.

d. Updated Perl package

The update addresses an issue where the regular expression
engine in Perl can be used to issue a specially crafted regular
expression that allows the attacker to run arbitrary code with
the permissions level of the current Perl user.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-5116 to this issue.

e. Updated OpenSSL package

A flaw in the SSL_get_shared_ciphers() function could allow an
attacker to cause a buffer overflow problem by sending ciphers
to applications that use the function.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2007-3108, and CVE-2007-5135 to these
issues.

See also :

http://lists.vmware.com/pipermail/security-announce/2008/000004.html

Solution :

Apply the missing patches.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: VMware ESX Local Security Checks

Nessus Plugin ID: 40372 ()

Bugtraq ID: 25163
26350
26454
26455
26701

CVE ID: CVE-2007-3108
CVE-2007-4572
CVE-2007-5116
CVE-2007-5135
CVE-2007-5191
CVE-2007-5360
CVE-2007-5398