VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote VMware ESXi / ESX host is missing one or more
security-related patches.

Description :

a. VMware vmkernel third-party e1000(e) Driver Packet Filter Bypass

There is an issue in the e1000(e) Linux driver for Intel PRO/1000
adapters that allows a remote attacker to bypass packet filters.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-4536 to this issue.

b. ESX third-party update for Service Console kernel

This update for the console OS kernel package resolves four
security issues.

1) IPv4 Remote Denial of Service

An remote attacker can achieve a denial of service via an
issue in the kernel IPv4 code.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2010-1188 to
this issue.

2) SCSI Driver Denial of Service / Possible Privilege Escalation

A local attacker can achieve a denial of service and
possibly a privilege escalation via a vulnerability in
the Linux SCSI drivers.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2009-3080 to
this issue.

3) Kernel Memory Management Arbitrary Code Execution

A context-dependent attacker can execute arbitrary code
via a vulnerability in a kernel memory handling function.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2010-2240 to
this issue.

4) e1000 Driver Packet Filter Bypass

There is an issue in the Service Console e1000 Linux
driver for Intel PRO/1000 adapters that allows a remote
attacker to bypass packet filters.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2009-4536 to
this issue.

c. Multiple vulnerabilities in mount.vmhgfs

This patch provides a fix for the following three security
issues in the VMware Host Guest File System (HGFS). None of
these issues affect Windows based Guest Operating Systems.

1) Mount.vmhgfs Information Disclosure

Information disclosure via a vulnerability that allows an
attacker with access to the Guest to determine if a path
exists in the Host filesystem and whether it is a file or
directory regardless of permissions.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2011-2146 to
this issue.

2) Mount.vmhgfs Race Condition

Privilege escalation via a race condition that allows an
attacker with access to the guest to mount on arbitrary
directories in the Guest filesystem and achieve privilege
escalation if they can control the contents of the
mounted directory.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2011-1787 to
this issue.

3) Mount.vmhgfs Privilege Escalation

Privilege escalation via a procedural error that allows
an attacker with access to the guest operating system to
gain write access to an arbitrary file in the Guest
filesystem. This issue only affects Solaris and FreeBSD
Guest Operating Systems.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2011-2145 to
this issue.

VMware would like to thank Dan Rosenberg for reporting these
issues.

d. VI Client ActiveX vulnerabilities

VI Client COM objects can be instantiated in Internet Explorer
which may cause memory corruption. An attacker who succeeded in
making the VI Client user visit a malicious Web site could
execute code on the user's system within the security context of
that user.

VMware would like to thank Elazar Broad and iDefense for
reporting this issue to us.

The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2011-2217 to this issue.

Affected versions.

The vSphere Client which comes with vSphere 4.0 and vSphere 4.1
is not affected. This is any build of vSphere Client Version
4.0.0 and vSphere Client Version 4.1.0.

VI Clients bundled with VMware Infrastructure 3 that are not
affected are :
- VI Client 2.0.2 Build 230598 and higher
- VI Client 2.5 Build 204931 and higher

The issue can be remediated by replacing an affected VI Client
with the VI Client bundled with VirtualCenter 2.5 Update 6 or
VirtualCenter 2.5 Update 6a.

See also :

http://lists.vmware.com/pipermail/security-announce/2011/000158.html

Solution :

Apply the missing patches.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.3
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: VMware ESX Local Security Checks

Nessus Plugin ID: 54968 ()

Bugtraq ID: 37068
37519
39016
42505
48098
48099

CVE ID: CVE-2009-3080
CVE-2009-4536
CVE-2010-1188
CVE-2010-2240
CVE-2011-1787
CVE-2011-2145
CVE-2011-2146
CVE-2011-2217