VMSA-2012-0005 : VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi, and ESX address several security issues

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote VMware ESXi / ESX host is missing one or more
security-related patches.

Description :

a. VMware Tools Display Driver Privilege Escalation

The VMware XPDM and WDDM display drivers contain buffer overflow
vulnerabilities and the XPDM display driver does not properly
check for NULL pointers. Exploitation of these issues may lead
to local privilege escalation on Windows-based Guest Operating
Systems.

VMware would like to thank Tarjei Mandt for reporting theses
issues to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2012-1509 (XPDM buffer overrun),
CVE-2012-1510 (WDDM buffer overrun) and CVE-2012-1508 (XPDM null
pointer dereference) to these issues.

Note: CVE-2012-1509 doesn't affect ESXi and ESX.

b. vSphere Client internal browser input validation vulnerability

The vSphere Client has an internal browser that renders html
pages from log file entries. This browser doesn't properly
sanitize input and may run script that is introduced into the
log files. In order for the script to run, the user would need
to open an individual, malicious log file entry. The script
would run with the permissions of the user that runs the vSphere
Client.

VMware would like to thank Edward Torkington for reporting this
issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-1512 to this issue.

In order to remediate the issue, the vSphere Client of the
vSphere 5.0 Update 1 release or the vSphere 4.1 Update 2 release
needs to be installed. The vSphere Clients that come with
vSphere 4.0 and vCenter Server 2.5 are not affected.

c. vCenter Orchestrator Password Disclosure

The vCenter Orchestrator (vCO) Web Configuration tool reflects
back the vCenter Server password as part of the webpage. This
might allow the logged-in vCO administrator to retrieve the
vCenter Server password.

VMware would like to thank Alexey Sintsov from Digital Security
Research Group for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-1513 to this issue.

d. vShield Manager Cross-Site Request Forgery vulnerability

The vShield Manager (vSM) interface has a Cross-Site Request
Forgery vulnerability. If an attacker can convince an
authenticated user to visit a malicious link, the attacker may
force the victim to forward an authenticated request to the
server.

VMware would like to thank Frans Pehrson of Xxor AB
(www.xxor.se<http://www.xxor.se>) and Claudio Criscione for independently reporting
this issue to us

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-1514 to this issue.

e. vCenter Update Manager, Oracle (Sun) JRE update 1.6.0_30

Oracle (Sun) JRE is updated to version 1.6.0_30, which addresses
multiple security issues that existed in earlier releases of
Oracle (Sun) JRE.

Oracle has documented the CVE identifiers that are addressed in
JRE 1.6.0_29 and JRE 1.6.0_30 in the Oracle Java SE Critical
Patch Update Advisory of October 2011. The References section
provides a link to this advisory.

f. vCenter Server Apache Tomcat update 6.0.35

Apache Tomcat has been updated to version 6.0.35 to address
multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2011-3190, CVE-2011-3375,
CVE-2011-4858, and CVE-2012-0022 to these issues.


g. ESXi update to third-party component bzip2

The bzip2 library is updated to version 1.0.6, which resolves a
security issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-0405 to this issue.

See also :

http://lists.vmware.com/pipermail/security-announce/2012/000198.html

Solution :

Apply the missing patches.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true