ESXi 5.0 < Build 912577 Multiple Vulnerabilities (remote check)

This script is (C) 2013-2016 Tenable Network Security, Inc.


Synopsis :

The remote VMware ESXi 5.0 host is affected by multiple
vulnerabilities.

Description :

The remote VMware ESXi 5.0 host is affected by Multiple
Vulnerabilities :

- An integer overflow condition exists in the
__tzfile_read() function in the glibc library. An
unauthenticated, remote attacker can exploit this, via
a crafted timezone (TZ) file, to cause a denial of
service or the execution of arbitrary code.
(CVE-2009-5029)

- ldd in the glibc library is affected by a privilege
escalation vulnerability due to the omission of certain
LD_TRACE_LOADED_OBJECTS checks in a crafted executable
file. Note that this vulnerability is disputed by the
library vendor. (CVE-2009-5064)

- A remote code execution vulnerability exists in the
glibc library due to an integer signedness error in the
elf_get_dynamic_info() function when the '--verify'
option is used. A remote attacker can exploit this by
using a crafted ELF program with a negative value for a
certain d_tag structure member in the ELF header.
(CVE-2010-0830)

- A flaw exists in OpenSSL due to a failure to properly
prevent modification of the ciphersuite in the session
cache when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is
enabled. A remote attacker can exploit this to force a
downgrade to an unintended cipher by intercepting the
network traffic to discover a session identifier.
(CVE-2010-4180)

- A flaw exists in OpenSSL due to a failure to properly
validate the public parameters in the J-PAKE protocol
when J-PAKE is enabled. A remote attacker can exploit
this, by sending crafted values in each round of the
protocol, to bypass the need for knowledge of the shared
secret. (CVE-2010-4252)

- A out-of-bounds memory error exists in OpenSSL that
allows a remote attacker to cause a denial of service or
possibly obtain sensitive information by using a
malformed ClientHello handshake message. This is also
known as the 'OCSP stapling vulnerability'.
(CVE-2011-0014)

- A flaw exists in the addmntent() function in the glibc
library due to a failure to report the error status for
failed attempts to write to the /etc/mtab file. A local
attacker can exploit this to corrupt the file by using
writes from a process with a small RLIMIT_FSIZE value.
(CVE-2011-1089)

- An flaw exists in the png_set_text_2() function in the
file pngset.c in the libpng library due to a failure to
properly allocate memory. An unauthenticated, remote
attacker can exploit this, via a crafted text chunk in a
PNG image file, to trigger a heap-based buffer overflow,
resulting in denial of service or the execution of
arbitrary code. (CVE-2011-3048)

- A flaw exists in the DTLS implementation in OpenSSL due
to performing a MAC check only if certain padding is
valid. A remote attacker can exploit this, via a padding
oracle attack, to recover the plaintext. (CVE-2011-4108)

- A double-free error exists in OpenSSL when the
X509_V_FLAG_POLICY_CHECK is enabled. A remote attacker
can exploit this by triggering a policy check failure,
resulting in an unspecified impact. (CVE-2011-4109)

- A flaw exists in OpenSSL in the SSL 3.0 implementation
due to improper initialization of data structures used
for block cipher padding. A remote attacker can exploit
this, by decrypting the padding data sent by an SSL
peer, to obtain sensitive information. (CVE-2011-4576)

- A denial of service vulnerability exists in OpenSSL when
RFC 3779 support is enabled. A remote attacker can
exploit this to cause an assertion failure, by using an
X.509 certificate containing certificate extension data
associated with IP address blocks or Autonomous System
(AS) identifiers. (CVE-2011-4577)

- A denial of service vulnerability exists in the RPC
implementation in the glibc library due to a flaw in the
svc_run() function. A remote attacker can exploit this,
via large number of RPC connections, to exhaust CPU
resources. (CVE-2011-4609)

- A denial of service vulnerability exists in the Server
Gated Cryptography (SGC) implementation in OpenSSL due
to a failure to properly handle handshake restarts. A
remote attacker can exploit this, via unspecified
vectors, to exhaust CPU resources. (CVE-2011-4619)

- An denial of service vulnerability exists in OpenSSL due
to improper support of DTLS applications. A remote
attacker can exploit this, via unspecified vectors
related to an out-of-bounds read error. Note that this
vulnerability exists because of an incorrect fix for
CVE-2011-4108. (CVE-2012-0050)

- A security bypass vulnerability exists in the glibc
library due to an integer overflow condition in the
vfprintf() function in file stdio-common/vfprintf.c. An
attacker can exploit this, by using a large number of
arguments, to bypass the FORTIFY_SOURCE protection
mechanism, allowing format string attacks or writing to
arbitrary memory. (CVE-2012-0864)

- A denial of service vulnerability exists in the glibc
library in the vfprintf() function in file
stdio-common/vfprintf.c due to a failure to properly
calculate a buffer length. An attacker can exploit this,
via a format string that uses positional parameters and
many format specifiers, to bypass the FORTIFY_SOURCE
format-string protection mechanism, thus causing stack
corruption and a crash. (CVE-2012-3404)

- A denial of service vulnerability exists in the glibc
library in the vfprintf() function in file
stdio-common/vfprintf.c due to a failure to properly
calculate a buffer length. An attacker can exploit this,
via a format string with a large number of format
specifiers, to bypass the FORTIFY_SOURCE format-string
protection mechanism, thus triggering desynchronization
within the buffer size handling, resulting in a
segmentation fault and crash. (CVE-2012-3405)

- A flaw exists in the glibc library in the vfprintf()
function in file stdio-common/vfprintf.c due to a
failure to properly restrict the use of the alloca()
function when allocating the SPECS array. An attacker
can exploit this, via a crafted format string using
positional parameters and a large number of format
specifiers, to bypass the FORTIFY_SOURCE format-string
protection mechanism, thus triggering a denial of
service or the possible execution of arbitrary code.
(CVE-2012-3406)

- A flaw exists in the glibc library due to multiple
integer overflow conditions in the strtod(), strtof(),
strtold(), strtod_l(), and other unspecified related
functions. A local attacker can exploit these to trigger
a stack-based buffer overflow, resulting in an
application crash or the possible execution of arbitrary
code. (CVE-2012-3480)

- A privilege escalation vulnerability exists in the
Virtual Machine Communication Interface (VMCI) due to a
failure by control code to properly restrict memory
allocation. A local attacker can exploit this, via
unspecified vectors, to gain privileges. (CVE-2013-1406)

- An error exists in the implementation of the Network
File Copy (NFC) protocol. A man-in-the-middle attacker
can exploit this, by modifying the client-server data
stream, to cause a denial of service or the execution
of arbitrary code. (CVE-2013-1659)

See also :

http://www.vmware.com/security/advisories/VMSA-2013-0002.html
http://www.vmware.com/security/advisories/VMSA-2013-0003.html
http://www.vmware.com/security/advisories/VMSA-2012-0013.html
http://www.vmware.com/security/advisories/VMSA-2012-0018.html
http://kb.vmware.com/kb/2033751
http://kb.vmware.com/kb/2033767

Solution :

Apply patch ESXi500-201212101-SG according to the vendor advisory.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true