SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   VMware ESX Server Vendors:   VMware, Inc.
VMware ESX Server VMware Tools Executable/Library Loading/Unloading Flaws Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1023833
SecurityTracker URL:  http://securitytracker.com/id/1023833
CVE Reference:   CVE-2010-1141, CVE-2010-1142   (Links to External Site)
Date:  Apr 9 2010
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.5.5, 3.0.3, 3.5, 4.0; ESXi 3.5, ESXi 4.0
Description:   Two vulnerabilities were reported in VMware ESX Server. A user can cause arbitrary code to be executed on the target Windows-based guest operating system.

A remote user can create a specially crafted file that, when loaded by the target user via a network share, will trigger a library loading flaw and execute arbitrary code on the target guest operating system [CVE-2010-1141]. The code will run with the privileges of the target user.

A user can create and place a specially crafted executable file in a certain location on the target user's Virtual Machine (which may require administrator privileges) to cause arbitrary code to be executed on the target guest operating system [CVE-2010-1142].

Only Windows-based guest operating systems are affected.

Vmware Workstation 6.5.x, Player 2.5.x, ACE 2.5.x, Server 2.x, and Fusion 2.x are affected.

Jure Skofic and Mitja Kolsek of ACROS Security reported these vulnerabilities.

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's guest operating system.
Solution:   The vendor has issued a fix (ESXi ESXi400-201002402-BG, ESXi ESXe350-200912401-T-BG, ESX ESX400-201002401-BG, ESX ESX350-200912401-BG, ESX ESX303-201002203-UG, ESX Upgrade Patch 15).

The vendor's advisory will be available at:

http://www.vmware.com/security/advisories/

Vendor URL:  www.vmware.com/security/advisories/ (Links to External Site)
Cause:   Not specified
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Fri, 09 Apr 2010 15:16:15 +0000
Subject:  VMware ESX Server


 a. Windows-based VMware Tools Unsafe Library Loading vulnerability

    A vulnerability in the way VMware libraries are referenced allows
    for arbitrary code execution in the context of the logged on user.
    This vulnerability is present only on Windows Guest Operating
    Systems.

    In order for an attacker to exploit the vulnerability, the attacker
    would need to lure the user that is logged on a Windows Guest
    Operating System to click on the attacker's file on a network
    share. This file could be in any file format. The attacker will
    need to have the ability to host their malicious files on a
    network share.

    VMware would like to thank Jure Skofic and Mitja Kolsek of ACROS
    Security (http://www.acrossecurity.com) for reporting this issue
    to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-1141 to this issue.

    Steps needed to remediate this vulnerability:

    Guest systems on VMware Workstation, Player, ACE, Server, Fusion
     - Install the remediated version of Workstation, Player, ACE,
       Server and Fusion.
     - Upgrade tools in the virtual machine (virtual machine users
       will be prompted to upgrade).

    Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5
     - Install the relevant patches (see below for patch identifiers)
     - Manually upgrade tools in the virtual machine (virtual machine
       users will not be prompted to upgrade).  Note the VI Client will
       not show the VMware tools is out of date in the summary tab.
       Please see http://tinyurl.com/27mpjo page 80 for details.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available. See above for remediation
    details.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    7.x       any      not affected
    Workstation    6.5.x     any      6.5.4 build 246459 or later

    Player         3.x       any      not affected
    Player         2.5.x     any      2.5.4 build 246459 or later

    ACE            2.6.x     Windows  not affected
    ACE            2.5.x     Windows  2.5.4 build 246459 or later

    Server         2.x       any      2.0.2 build 203138 or later

    Fusion         3.x       Mac OS/X not affected
    Fusion         2.x       Mac OS/X 2.0.6 build 246742 or later

    ESXi           4.0       ESXi     ESXi400-201002402-BG
    ESXi           3.5       ESXi     ESXe350-200912401-T-BG or later

    ESX            4.0       ESX      ESX400-201002401-BG
    ESX            3.5       ESX      ESX350-200912401-BG
    ESX            3.0.3     ESX      ESX303-201002203-UG
    ESX            2.5.5     ESX      Upgrade Patch 15

 b. Windows-based VMware Tools Arbitrary Code Execution vulnerability

    A vulnerability in the way VMware executables are loaded allows for
    arbitrary code execution in the context of the logged on user. This
    vulnerability is present only on Windows Guest Operating Systems.

    In order for an attacker to exploit the vulnerability, the attacker
    would need to be able to plant their malicious executable in a
    certain location on the Virtual Machine of the user.  On most
    recent versions of Windows (XP, Vista) the attacker would need to
    have administrator privileges to plant the malicious executable in
    the right location.

    Steps needed to remediate this vulnerability: See section 3.a.

    VMware would like to thank Mitja Kolsek of ACROS Security
    (http://www.acrossecurity.com) for reporting this issue to us.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-1142 to this issue.

    Refer to the previous table in section 3.a for what action
    remediates the vulnerability (column 4) if a solution is
    available. See above for remediation details.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC