VMSA-2014-0003 : VMware vSphere Client updates address security vulnerabilities

High Nessus Plugin ID 73469


The remote VMware ESXi / ESX host is missing a security-related patch.


a. vSphere Client Insecure Client Download

vSphere Client contains a vulnerability in accepting an updated vSphere Client file from an untrusted source. The vulnerability may allow a host to direct vSphere Client to download and execute an arbitrary file from any URI. This issue can be exploited if the host has been compromised or if a user has been tricked into clicking a malicious link.

VMware would like to thank Recurity Labs GmbH and the Bundesamt Sicherheit in der Informationstechnik (BSI) for reporting this issue to us

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-1209 to this issue.


Apply the missing patch.

See Also


Plugin Details

Severity: High

ID: 73469

File Name: vmware_VMSA-2014-0003.nasl

Version: $Revision: 1.10 $

Type: local

Published: 2014/04/11

Modified: 2014/07/08

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:vmware:esx:4.0, cpe:/o:vmware:esx:4.1, cpe:/o:vmware:esxi:4.0, cpe:/o:vmware:esxi:4.1

Required KB Items: Host/local_checks_enabled, Host/VMware/release, Host/VMware/version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/04/10

Reference Information

CVE: CVE-2014-1209, CVE-2014-1210

BID: 66772, 66773

OSVDB: 105726, 105727

VMSA: 2014-0003