VMware ESXi Multiple OpenSSL Vulnerabilities (VMSA-2014-0006)

medium Nessus Plugin ID 87678
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote VMware ESXi host is missing a security-related patch.

Description

The remote VMware ESXi host is affected by multiple vulnerabilities in the OpenSSL third-party library :

- A use-after-free error exists in the ssl3_read_bytes() function in file ssl/s3_pkt.c that is triggered when a second read is done to the function by multiple threads when SSL_MODE_RELEASE_BUFFERS is enabled. A man-in-the-middle attacker can exploit this to dereference already freed memory and inject arbitrary data into the SSL stream. (CVE-2010-5298)

- A NULL pointer dereference flaw exists in the do_ssl3_write() function in file ssl/s3_pkt.c due to a failure to properly manage a buffer pointer during certain recursive calls when SSL_MODE_RELEASE_BUFFERS is enabled. A remote attacker can exploit this, by triggering an alert condition, to cause a denial of service. (CVE-2014-0198)

- A flaw exists due to a failure to properly restrict processing of ChangeCipherSpec messages. A man-in-the-middle attacker can exploit this, via a crafted TLS handshake, to force the use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, resulting in the session being hijacked and sensitive information being disclosed. (CVE-2014-0224)

- A NULL pointer dereference flaw exists in the ssl3_send_client_key_exchange() function in file s3_clnt.c, when an anonymous ECDH cipher suite is used, that allows a remote attacker to cause a denial of service. (CVE-2014-3470)

Solution

Apply the appropriate patch according to the vendor advisory that pertains to ESXi version 5.0 / 5.1 / 5.5.

See Also

https://www.vmware.com/security/advisories/VMSA-2014-0006

http://lists.vmware.com/pipermail/security-announce/2014/000276.html

Plugin Details

Severity: Medium

ID: 87678

File Name: vmware_VMSA-2014-0006_remote.nasl

Version: 1.6

Type: remote

Family: Misc.

Published: 12/30/2015

Updated: 1/6/2021

Dependencies: vmware_vsphere_detect.nbin

Risk Information

CVSS Score Source: CVE-2014-0224

VPR

Risk Factor: High

Score: 7.7

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:vmware:esxi:5.0, cpe:/o:vmware:esxi:5.1, cpe:/o:vmware:esxi:5.5

Required KB Items: Host/VMware/version, Host/VMware/release

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/9/2014

Vulnerability Publication Date: 4/11/2014

Exploitable With

Core Impact

Reference Information

CVE: CVE-2010-5298, CVE-2014-0198, CVE-2014-0224, CVE-2014-3470

BID: 66801, 67193, 67898, 67899

VMSA: 2014-0006

CERT: 978508