The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of VMware ACE

computer vulnerability bulletin CVE-2009-1564 CVE-2009-1565 CVE-2009-2042

VMware: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities impact VMware ACE, ESX, ESXi, Player, Server and Workstation.
Impacted products: VMware ACE, ESX, ESXi, VMware Player, VMware Server, VMware Workstation.
Severity: 2/4.
Consequences: administrator access/rights, user access/rights, data reading, denial of service on service.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 10.
Creation date: 09/04/2010.
Identifiers: ASPR #2010-04-12-1, ASPR #2010-04-12-2, BID-35233, BID-36630, BID-39345, BID-39363, BID-39364, BID-39392, BID-39394, BID-39395, BID-39396, BID-39397, BID-39407, CERTA-2010-AVI-162, CERTA-2010-AVI-165, CVE-2009-1564, CVE-2009-1565, CVE-2009-2042, CVE-2009-3707, CVE-2009-3732, CVE-2009-4811, CVE-2010-1138, CVE-2010-1139, CVE-2010-1140, CVE-2010-1141, CVE-2010-1142, CVE-2010-1564-ERROR, DSecRG-09-053, VIGILANCE-VUL-9568, VMSA-2010-0007, VMSA-2010-0007.1.

Description of the vulnerability

Several vulnerabilities impact VMware products.

When the guest system is Windows, a local attacker can load a library, in order to elevate his privileges. [severity:2/4; ASPR #2010-04-12-1, ASPR #2010-04-12-2, BID-39392, CVE-2010-1141]

When the guest system is Windows 2000, a local attacker can copy a program in a specific directory, in order to elevate his privileges. [severity:2/4; ASPR #2010-04-12-1, ASPR #2010-04-12-2, BID-39394, CVE-2010-1142]

When the host system is Windows 2000, a local attacker can copy a program in a specific directory, in order to elevate his privileges. [severity:2/4; ASPR #2010-04-12-1, ASPR #2010-04-12-2, BID-39397, CVE-2010-1140]

When a black and white interlaced image is opened by libpng, some areas of the image come from the memory (VIGILANCE-VUL-8813). [severity:1/4; BID-35233, CVE-2009-2042]

The VMware Workstation, VMware Player and VMware ACE products install the VMnc video codec, which contains several buffer overflows. The attacker can invite the victim to see a malicious video, in order to execute code. [severity:2/4; BID-39363, CERTA-2010-AVI-162, CERTA-2010-AVI-165, CVE-2009-1564, CVE-2010-1564-ERROR]

The VMware Workstation, VMware Player and VMware ACE products install the VMnc video codec, which contains several integer overflows. The attacker can invite the victim to see a malicious video, in order to execute code. [severity:2/4; BID-39364, CVE-2009-1565]

An attacker can generate a format string attack in VMware Remote Console (VMrc), in order to execute code. [severity:2/4; BID-39396, CVE-2009-3732, DSecRG-09-053]

An attacker can send a malicious authentication query to the vmware-authd service of VMware ACE, Player or Workstation in order to stop it (VIGILANCE-VUL-9079) [severity:2/4; BID-36630, CVE-2009-3707, CVE-2009-4811]

An attacker in a guest system can send data to the vmware-vmx host system, which can send them on the network. [severity:2/4; BID-39395, CVE-2010-1138]

An attacker in a guest system can execute a command containing format strings. Then, when the administrator uses vmrun to list processes, a format string attack occurs, and code can run with administrator's privileges. [severity:2/4; BID-39407, CVE-2010-1139]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-0408 CVE-2010-0425

Apache httpd: denials of service of of modules

Synthesis of the vulnerability

An attacker can generate a denial of service in mod_proxy_ajp and mod_isapi modules of Apache httpd.
Impacted products: Apache httpd, Debian, VNX Operating Environment, VNX Series, Fedora, HP-UX, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, Slackware, SLES, VMware ACE.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 03/03/2010.
Revision date: 08/03/2010.
Identifiers: BID-38491, BID-38494, c02160663, CERTA-2010-AVI-112, CERTA-2010-AVI-122, CVE-2010-0408, CVE-2010-0425, DSA-2019-131, DSA-2035-1, FEDORA-2010-6055, FEDORA-2010-6131, HPSBUX02531, MDVSA-2010:053, RHSA-2010:0168-01, RHSA-2010:0396-01, SOS-10-002, SSA:2010-067-01, SSRT100108, SUSE-SR:2010:010, VIGILANCE-VUL-9487, VMSA-2010-0014, VMSA-2010-0014.1, VU#280613.

Description of the vulnerability

Two denials of service were announced in Apache httpd.

The mod_proxy_ajp module is used with Tomcat. When the client uses the Content-Length header, but does not send a body, the ap_proxy_ajp_request() function returns the error HTTP_INTERNAL_SERVER_ERROR, instead of HTTP_BAD_REQUEST. A timeout is then started, which creates a denial of service. [severity:2/4; BID-38491, CVE-2010-0408]

The mod_isapi module is used on Windows. However, by interrupting a query, this module is unloaded too soon, which forces the usage of an invalid pointer, and stops the service. [severity:2/4; CERTA-2010-AVI-112, CERTA-2010-AVI-122, CVE-2010-0425, SOS-10-002, VU#280613]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2010-0434

Apache httpd: information disclosure via SubRequest

Synthesis of the vulnerability

When Apache httpd uses a SubRequest and a multi-threaded MPM, session data can be returned to another user.
Impacted products: Apache httpd, Debian, Fedora, HP-UX, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, SLES, VMware ACE.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 03/03/2010.
Identifiers: 48359, BID-38494, BID-38580, c02160663, CVE-2010-0434, DSA-2035-1, FEDORA-2010-6055, FEDORA-2010-6131, HPSBUX02531, MDVSA-2010:057, RHSA-2010:0168-01, RHSA-2010:0175-01, RHSA-2010:0396-01, RHSA-2010:0602-02, SSRT100108, SUSE-SR:2010:010, VIGILANCE-VUL-9490, VMSA-2010-0014, VMSA-2010-0014.1.

Description of the vulnerability

The MPM (Multi-Processing Module) feature of Apache httpd 2 defines how clients sessions are handled. Several modules are available:
 - prefork: multi-process, but no thread (similar to httpd 1.3)
 - worker: multi-process and multi-thread
 - mpm_winnt : multi-thread optimized for Windows
 - mpmt_os2: multi-process and multi-thread optimized for OS/2
 - etc.
The administrator choses the module during Apache server compilation.

Apache uses "SubRequest" to simulate a new client query. SubRequests are for example used for error management or for url rewriting.

When Apache manages a SubRequest, it copies references to headers, instead of copying headers. If a multi-threaded MPM is used, these reference can then point to data belonging to another session.

When Apache httpd uses a SubRequest and a multi-threaded MPM, session data can therefore be returned to another user.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2009-2267 CVE-2009-3733

VMware: two vulnerabilities

Synthesis of the vulnerability

An attacker can use two vulnerabilities of VMware products, in order to elevate his privileges, or to obtain a file.
Impacted products: VMware ACE, ESX, ESXi, VMware Player, VMware Server, VMware Workstation.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/10/2009.
Revision date: 30/10/2009.
Identifiers: BID-36841, BID-36842, CERTA-2009-AVI-464, CVE-2009-2267, CVE-2009-3733, VIGILANCE-VUL-9136, VMSA-2009-0010, VMSA-2009-0012, VMSA-2009-0015.

Description of the vulnerability

Two vulnerabilities were announced in VMware products.

A local attacker can use Virtual-8086 and generate a page fault, in order to obtain privileges of the guest system. [severity:2/4; BID-36841, CERTA-2009-AVI-464, CVE-2009-2267]

A network attacker can obtain a file from the host system. [severity:2/4; BID-36842, CVE-2009-3733]

An attacker can therefore elevate his privileges, or obtain a file.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2009-3707 CVE-2009-4811

VMware ACE, Player, Workstation: denial of service of vmware-authd

Synthesis of the vulnerability

An attacker can send a malicious authentication query to the vmware-authd service of VMware ACE, Player or Workstation in order to stop it.
Impacted products: VMware ACE, ESX, ESXi, VMware Player, VMware Server, VMware Workstation.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/10/2009.
Identifiers: BID-36630, CVE-2009-3707, CVE-2009-4811, VIGILANCE-VUL-9079, VMSA-2010-0007, VMSA-2010-0007.1.

Description of the vulnerability

The vmware-authd.exe authentication service of VMware ACE, Player or Workstation listens on port 912/tcp.

This service expects data like:
  USER user_name
  PASS password
The user name and the password are logged.

However, when the user name or the password contains the '%' character, a format string attack occurs.

A non authenticated attacker can therefore create a denial of service, and possibly execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2009-0199 CVE-2009-2628

VMware ACE, Player, Workstation: buffer overflow of VMnc

Synthesis of the vulnerability

An attacker can invite the victim to see a malicious video, in order to execute code on VMware ACE, Player or Workstation.
Impacted products: VMware ACE, VMware Player, VMware Workstation.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/09/2009.
Identifiers: BID-36290, CERTA-2009-AVI-389, CVE-2009-0199, CVE-2009-2628, VIGILANCE-VUL-9002, VMSA-2009-0010, VMSA-2009-0012, VU#444513.

Description of the vulnerability

The VMware ACE, Player and Workstation products use the VMnc (VMware Movie decoder) codec to display videos.

When a malicious video is opened, a buffer overflow occurs on VMnc.dll.

An attacker can therefore invite the victim to see a malicious video, in order to execute code on VMware ACE, Player or Workstation.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2009-1805

VMware: denial of service of Descheduled Time Accounting

Synthesis of the vulnerability

An attacker in a Windows guest system can use the Descheduled Time Accounting driver in order to generate a denial of service.
Impacted products: VMware ACE, ESX, ESXi, VMware Player, VMware Server, VMware Workstation.
Severity: 1/4.
Consequences: denial of service on service.
Provenance: user shell.
Creation date: 29/05/2009.
Identifiers: BID-35141, CVE-2009-1805, VIGILANCE-VUL-8746, VMSA-2009-0007.

Description of the vulnerability

The Descheduled Time Accounting (VMDesched) service can be optionally installed, in order to detect and correct time drifting (stacked System Timer interruptions) in virtual machines.

An attacker in a Windows guest system can use the Descheduled Time Accounting driver in order to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2009-1244

VMware: code execution

Synthesis of the vulnerability

An attacker located in a guest system can execute code on the host system.
Impacted products: VMware ACE, ESX, ESXi, VMware Player, VMware Server, VMware Workstation.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 10/04/2009.
Identifiers: BID-34471, CVE-2009-1244, VIGILANCE-VUL-8622, VMSA-2009-0006.

Description of the vulnerability

VMware products virtualize display features.

A vulnerability in display features can be used by an attacker located in a guest system to execute code on the host system.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2008-3761 CVE-2008-4916 CVE-2009-0177

VMware: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities impact VMware ACE, Player, Server and Workstation.
Impacted products: VMware ACE, ESX, ESXi, VMware Player, VMware Server, VirtualCenter, VMware Workstation.
Severity: 2/4.
Consequences: administrator access/rights, data reading, data creation/edition, denial of service on server.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 8.
Creation date: 02/04/2009.
Revision date: 06/04/2009.
Identifiers: BID-30737, BID-33095, BID-34373, CERTA-2009-AVI-137, CVE-2008-3761, CVE-2008-4916, CVE-2009-0177, CVE-2009-0518, CVE-2009-0908, CVE-2009-0909, CVE-2009-0910, CVE-2009-1146, CVE-2009-1147, Positive Technologies SA 2008-05, Positive Technologies SA 2008-07, PT-2008-05, PT-2008-07, TPTI-09-01, TPTI-09-02, VIGILANCE-VUL-8592, VMSA-2009-0005.

Description of the vulnerability

Several vulnerabilities impact VMware products.

On Windows host, an attacker can use an IOCTL of hcmon.sys in order to elevate his privileges. [severity:2/4; CVE-2009-1146, Positive Technologies SA 2008-07, PT-2008-07]

On Windows host, an attacker can use an IOCTL of hcmon.sys in order to create a denial of service (VIGILANCE-VUL-8042). [severity:1/4; BID-30737, CVE-2008-3761]

On Windows host, an attacker can send a long authentication query to the vmware-authd service in order to stop it (VIGILANCE-VUL-8368). [severity:2/4; BID-33095, CVE-2009-0177]

On Windows host or guest, an attacker can use vmci.sys (Virtual Machine Communication Interface) to elevate his privileges. [severity:2/4; CVE-2009-1147, Positive Technologies SA 2008-05, PT-2008-05]

Two overflows of the VMnc codec can be used by an attacker to execute code on the host. [severity:2/4; CVE-2009-0909, CVE-2009-0910, TPTI-09-01, TPTI-09-02]

An attacker can re-enable an ACE Shared Folder of HGFS (Host Guest File System). [severity:1/4; CVE-2009-0908]

An attacker in a guest system can use a device driver to stop the host. [severity:1/4; CERTA-2009-AVI-137, CVE-2008-4916]

The VI Client keeps in its memory the VirtualCenter Server password. [severity:1/4; CVE-2009-0518]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2009-0040

libpng: memory corruption via free

Synthesis of the vulnerability

An attacker can create a malicious PNG image in order to corrupt the memory of applications linked to libpng.
Impacted products: Debian, Fedora, libpng, Mandriva Linux, Mandriva NF, NLD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SLES, VMware ACE, ESX, VMware Player, VMware Workstation.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Creation date: 19/02/2009.
Identifiers: 259989, 674516, 6745161, 6755267, 6813939, BID-33827, CVE-2009-0040, DSA-1750-1, FEDORA-2009-1976, FEDORA-2009-2045, FEDORA-2009-2112, FEDORA-2009-2131, MDVSA-2009:051, RHSA-2009:0333-01, RHSA-2009:0340-01, SSA:2009-051-01, SUSE-SR:2009:005, VIGILANCE-VUL-8482, VMSA-2009-0007, VMSA-2009-0010, VMSA-2009-0012, VU#649212.

Description of the vulnerability

The libpng library is used by applications creating or manipulating PNG (Portable Network Graphics) image files.

It allocates arrays of elements to store information on images.

However, when there is no available memory, libpng frees all these array entries, even if they were never allocated.

An attacker can therefore create a malicious PNG image in order to corrupt the memory of applications linked to libpng. This vulnerability leads to a denial of service and possibly to code execution.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.