VMSA-2013-0003 : VMware vCenter Server, ESXi and ESX address an NFC Protocol memory corruption and third-party library security issues.

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote VMware ESXi / ESX host is missing one or more
security-related patches.

Description :

a. VMware vCenter, ESXi and ESX NFC protocol memory corruption
vulnerability

VMware vCenter Server, ESXi and ESX contain a vulnerability in the
handling of the Network File Copy (NFC) protocol. To exploit this
vulnerability, an attacker must intercept and modify the NFC
traffic between vCenter Server and the client or ESXi/ESX and the
client. Exploitation of the issue may lead to code execution.

To reduce the likelihood of exploitation, vSphere components should
be deployed on an isolated management network

VMware would like to thank Alex Chapman of Context Information
Security for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1659 to this issue.

b. VirtualCenter, ESX and ESXi Oracle (Sun) JRE update 1.5.0_38

Oracle (Sun) JRE is updated to version 1.5.0_38, which addresses
multiple security issues that existed in earlier releases of
Oracle (Sun) JRE.

Oracle has documented the CVE identifiers that are addressed
in JRE 1.5.0_38 in the Oracle Java SE Critical Patch Update
Advisory of October 2012.

c. Update to ESX service console OpenSSL RPM

The service console OpenSSL RPM is updated to version
openssl-0.9.7a.33.28.i686 to resolve multiple security issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-2110 to this issue.

See also :

http://lists.vmware.com/pipermail/security-announce/2013/000205.html

Solution :

Apply the missing patches.

Risk factor :

High / CVSS Base Score : 7.6
(CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.6
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true