VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues

High Nessus Plugin ID 54968

Synopsis

The remote VMware ESXi / ESX host is missing one or more security-related patches.

Description

a. VMware vmkernel third-party e1000(e) Driver Packet Filter Bypass

 There is an issue in the e1000(e) Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters.

 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue.

b. ESX third-party update for Service Console kernel

 This update for the console OS kernel package resolves four security issues.

 1) IPv4 Remote Denial of Service

 An remote attacker can achieve a denial of service via an issue in the kernel IPv4 code.

 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1188 to this issue.

 2) SCSI Driver Denial of Service / Possible Privilege Escalation

 A local attacker can achieve a denial of service and possibly a privilege escalation via a vulnerability in the Linux SCSI drivers.

 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3080 to this issue.

 3) Kernel Memory Management Arbitrary Code Execution

 A context-dependent attacker can execute arbitrary code via a vulnerability in a kernel memory handling function.

 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2240 to this issue.

 4) e1000 Driver Packet Filter Bypass

 There is an issue in the Service Console e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters.

 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue.

c. Multiple vulnerabilities in mount.vmhgfs

 This patch provides a fix for the following three security issues in the VMware Host Guest File System (HGFS). None of these issues affect Windows based Guest Operating Systems.

 1) Mount.vmhgfs Information Disclosure

 Information disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions.

 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2146 to this issue.

 2) Mount.vmhgfs Race Condition

 Privilege escalation via a race condition that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory.

 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1787 to this issue.

 3) Mount.vmhgfs Privilege Escalation

 Privilege escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems.

 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2145 to this issue.

 VMware would like to thank Dan Rosenberg for reporting these issues.

d. VI Client ActiveX vulnerabilities

 VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user's system within the security context of that user.

 VMware would like to thank Elazar Broad and iDefense for reporting this issue to us.

 The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2011-2217 to this issue.

 Affected versions.

 The vSphere Client which comes with vSphere 4.0 and vSphere 4.1 is not affected. This is any build of vSphere Client Version 4.0.0 and vSphere Client Version 4.1.0.

 VI Clients bundled with VMware Infrastructure 3 that are not affected are :
 - VI Client 2.0.2 Build 230598 and higher
 - VI Client 2.5 Build 204931 and higher

 The issue can be remediated by replacing an affected VI Client with the VI Client bundled with VirtualCenter 2.5 Update 6 or VirtualCenter 2.5 Update 6a.

Solution

Apply the missing patches.

See Also

http://lists.vmware.com/pipermail/security-announce/2011/000158.html

Plugin Details

Severity: High

ID: 54968

File Name: vmware_VMSA-2011-0009.nasl

Version: 1.41

Type: local

Published: 2011/06/06

Updated: 2018/08/06

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:vmware:esx:3.5, cpe:/o:vmware:esx:4.0, cpe:/o:vmware:esx:4.1, cpe:/o:vmware:esxi:3.5, cpe:/o:vmware:esxi:4.0, cpe:/o:vmware:esxi:4.1, cpe:/o:vmware:esxi:5.0

Required KB Items: Host/local_checks_enabled, Host/VMware/release, Host/VMware/version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/06/02

Exploitable With

Core Impact

Metasploit (Tom Sawyer Software GET Extension Factory Remote Code Execution)

Reference Information

CVE: CVE-2009-3080, CVE-2009-4536, CVE-2010-1188, CVE-2010-2240, CVE-2011-1787, CVE-2011-2145, CVE-2011-2146, CVE-2011-2217

BID: 37068, 37519, 39016, 42505, 48098, 48099

VMSA: 2011-0009

IAVA: 2011-A-0075

CWE: 189