VMSA-2008-0001 : Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages

high Nessus Plugin ID 40372

Synopsis

The remote VMware ESX host is missing one or more security-related patches.

Description

I Service Console package security updates

a. OpenPegasus PAM Authentication Buffer Overflow

Alexander Sotirov from VMware Security Research discovered a buffer overflow vulnerability in the OpenPegasus Management server.
This flaw could be exploited by a malicious remote user on the service console network to gain root access to the service console.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5360 to this issue.

b. Updated Samba package

An issue where attackers on the service console management network can cause a stack-based buffer overflow in the reply_netbios_packet function of nmbd in Samba. On systems where Samba is being used as a WINS server, exploiting this vulnerability can allow remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request.

An issue where attackers on the service console management network can exploit a vulnerability that occurs when Samba is configured as a Primary or Backup Domain controller. The vulnerability allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5398 and CVE-2007-4572 to these issues.

Note: By default Samba is not configured as a WINS server or a domain controller and ESX is not vulnerable unless the administrator has changed the default configuration.

This vulnerability can be exploited remotely only if the attacker has access to the service console network.

Security best practices provided by VMware recommend that the service console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices.

c. Updated util-linux package

The patch addresses an issue where the mount and umount utilities in util-linux call the setuid and setgid functions in the wrong order and do not check the return values, which could allow attackers to gain elevated privileges via helper application such as mount.nfs.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5191 to this issue.

d. Updated Perl package

The update addresses an issue where the regular expression engine in Perl can be used to issue a specially crafted regular expression that allows the attacker to run arbitrary code with the permissions level of the current Perl user.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5116 to this issue.

e. Updated OpenSSL package

A flaw in the SSL_get_shared_ciphers() function could allow an attacker to cause a buffer overflow problem by sending ciphers to applications that use the function.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3108, and CVE-2007-5135 to these issues.

Solution

Apply the missing patches.

See Also

http://lists.vmware.com/pipermail/security-announce/2008/000004.html

Plugin Details

Severity: High

ID: 40372

File Name: vmware_VMSA-2008-0001.nasl

Version: 1.30

Type: local

Published: 7/27/2009

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:vmware:esx:2.5.5, cpe:/o:vmware:esx:3.0.1, cpe:/o:vmware:esx:3.0.2, cpe:/o:vmware:esx:3.5

Required KB Items: Host/local_checks_enabled, Host/VMware/release, Host/VMware/version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/7/2008

Vulnerability Publication Date: 9/28/2006

Exploitable With

CANVAS (D2ExploitPack)

Reference Information

CVE: CVE-2007-3108, CVE-2007-4572, CVE-2007-5116, CVE-2007-5135, CVE-2007-5191, CVE-2007-5360, CVE-2007-5398

BID: 21663, 25163, 25831, 26350, 26454, 26455, 26701, 27497, 27686, 29003, 29076, 29404

CWE: 119, 189, 264

VMSA: 2008-0001