The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of VMware Server

computer vulnerability CVE-2010-4294 CVE-2010-4295 CVE-2010-4296

VMware: four vulnerabilities

Synthesis of the vulnerability

Four vulnerabilities of VMware products lead to code execution.
Impacted products: ESX, ESXi, VMware Player, VMware Server, VMware vSphere, VMware vSphere Hypervisor, VMware Workstation.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 4.
Creation date: 03/12/2010.
Identifiers: BID-45166, BID-45167, BID-45168, BID-45169, CERTA-2010-AVI-574, CVE-2010-4294, CVE-2010-4295, CVE-2010-4296, CVE-2010-4297, TPTI-10-16, VIGILANCE-VUL-10175, VMSA-2010-0018.

Description of the vulnerability

Four vulnerabilities were announced in VMware products.

On Linux, the filesystem mounting tool (vmware-mount) creates temporary files in an insecure manner, so a local attacker can elevate his privileges. [severity:2/4; BID-45167, CVE-2010-4295]

On Linux, the filesystem mounting tool (vmware-mount) loads local libraries with root privileges, so a local attacker can elevate his privileges. [severity:2/4; BID-45168, CVE-2010-4296]

When VMware Tools are not up to date in the guest system, the update process does not check injected commands. An attacker in a guest system can therefore execute commands with root privileges. [severity:2/4; BID-45166, CVE-2010-4297]

VMware products install the VMnc codec. A video with a malicious fourCC field corrupts the memory of VMnc. An attacker can therefore invite the VMware administrator to see a web page using this codec, in order to execute code on his computer. [severity:2/4; BID-45169, CERTA-2010-AVI-574, CVE-2010-4294, TPTI-10-16]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2008-5515 CVE-2009-0033 CVE-2009-0580

Apache Tomcat: several vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Apache Tomcat in order to generate a denial of service or to obtain information.
Impacted products: Tomcat, BES, Debian, Fedora, Performance Center, HP-UX, JBoss AS OpenSource, NSM Central Manager, NSMXpress, Mandriva Linux, OpenSolaris, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SLES, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 04/06/2009.
Revisions dates: 09/06/2009, 10/06/2010.
Identifiers: 263529, 6848375, 6849727, BID-35193, BID-35196, BID-35263, BID-35416, c01908935, c02181353, c02515878, CERTA-2009-AVI-211, CERTA-2010-AVI-220, CERTA-2011-AVI-169, CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0783, DSA-2207-1, FEDORA-2009-11352, FEDORA-2009-11356, FEDORA-2009-11374, HPSBMA02535, HPSBUX02466, HPSBUX02579, KB25966, MDVSA-2009:136, MDVSA-2009:138, MDVSA-2009:163, MDVSA-2010:176, PSN-2012-05-584, RHSA-2009:1143-01, RHSA-2009:1144-01, RHSA-2009:1145-01, RHSA-2009:1146-01, RHSA-2009:1164-01, RHSA-2009:1454-01, RHSA-2009:1506-01, RHSA-2009:1562-01, RHSA-2009:1563-01, RHSA-2009:1616-01, RHSA-2009:1617-01, RHSA-2010:0602-02, SSRT090192, SSRT100029, SSRT100203, SUSE-SR:2009:012, SUSE-SR:2010:008, VIGILANCE-VUL-8762, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5.

Description of the vulnerability

Several vulnerabilities were announced in Apache Tomcat.

An attacker can use invalid headers in order to close the AJP connection. [severity:2/4; BID-35193, CVE-2009-0033]

When form authentication (j_security_check) is in mode MemoryRealm, DataSourceRealm or JDBCRealm, an attacker can use an invalid url encoding for the password. He can then detect if a username is valid. [severity:2/4; BID-35196, CVE-2009-0580]

A web application can change the XML parser, and thus access to the web.xml/context.xml file of another application. [severity:1/4; BID-35416, CVE-2009-0783]

The url path is unnecessary canonized in ApplicationHttpRequest.java. The url "http://s/dir1/dir2?/../" is for example converted to "http://s/dir1/". [severity:2/4; BID-35263, CERTA-2009-AVI-211, CERTA-2010-AVI-220, CVE-2008-5515]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2009-1564 CVE-2009-1565 CVE-2009-2042

VMware: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities impact VMware ACE, ESX, ESXi, Player, Server and Workstation.
Impacted products: VMware ACE, ESX, ESXi, VMware Player, VMware Server, VMware Workstation.
Severity: 2/4.
Consequences: administrator access/rights, user access/rights, data reading, denial of service on service.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 10.
Creation date: 09/04/2010.
Identifiers: ASPR #2010-04-12-1, ASPR #2010-04-12-2, BID-35233, BID-36630, BID-39345, BID-39363, BID-39364, BID-39392, BID-39394, BID-39395, BID-39396, BID-39397, BID-39407, CERTA-2010-AVI-162, CERTA-2010-AVI-165, CVE-2009-1564, CVE-2009-1565, CVE-2009-2042, CVE-2009-3707, CVE-2009-3732, CVE-2009-4811, CVE-2010-1138, CVE-2010-1139, CVE-2010-1140, CVE-2010-1141, CVE-2010-1142, CVE-2010-1564-ERROR, DSecRG-09-053, VIGILANCE-VUL-9568, VMSA-2010-0007, VMSA-2010-0007.1.

Description of the vulnerability

Several vulnerabilities impact VMware products.

When the guest system is Windows, a local attacker can load a library, in order to elevate his privileges. [severity:2/4; ASPR #2010-04-12-1, ASPR #2010-04-12-2, BID-39392, CVE-2010-1141]

When the guest system is Windows 2000, a local attacker can copy a program in a specific directory, in order to elevate his privileges. [severity:2/4; ASPR #2010-04-12-1, ASPR #2010-04-12-2, BID-39394, CVE-2010-1142]

When the host system is Windows 2000, a local attacker can copy a program in a specific directory, in order to elevate his privileges. [severity:2/4; ASPR #2010-04-12-1, ASPR #2010-04-12-2, BID-39397, CVE-2010-1140]

When a black and white interlaced image is opened by libpng, some areas of the image come from the memory (VIGILANCE-VUL-8813). [severity:1/4; BID-35233, CVE-2009-2042]

The VMware Workstation, VMware Player and VMware ACE products install the VMnc video codec, which contains several buffer overflows. The attacker can invite the victim to see a malicious video, in order to execute code. [severity:2/4; BID-39363, CERTA-2010-AVI-162, CERTA-2010-AVI-165, CVE-2009-1564, CVE-2010-1564-ERROR]

The VMware Workstation, VMware Player and VMware ACE products install the VMnc video codec, which contains several integer overflows. The attacker can invite the victim to see a malicious video, in order to execute code. [severity:2/4; BID-39364, CVE-2009-1565]

An attacker can generate a format string attack in VMware Remote Console (VMrc), in order to execute code. [severity:2/4; BID-39396, CVE-2009-3732, DSecRG-09-053]

An attacker can send a malicious authentication query to the vmware-authd service of VMware ACE, Player or Workstation in order to stop it (VIGILANCE-VUL-9079) [severity:2/4; BID-36630, CVE-2009-3707, CVE-2009-4811]

An attacker in a guest system can send data to the vmware-vmx host system, which can send them on the network. [severity:2/4; BID-39395, CVE-2010-1138]

An attacker in a guest system can execute a command containing format strings. Then, when the administrator uses vmrun to list processes, a format string attack occurs, and code can run with administrator's privileges. [severity:2/4; BID-39407, CVE-2010-1139]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2009-2277 CVE-2010-0686 CVE-2010-1137

VMware: vulnerabilities of WebAccess

Synthesis of the vulnerability

An attacker can use four vulnerabilities of WebAccess, in order to create a Cross Site Scripting, or to redirect the victim.
Impacted products: ESX, VMware Server, VirtualCenter.
Severity: 2/4.
Consequences: client access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 30/03/2010.
Identifiers: BID-39037, BID-39103, BID-39104, BID-39105, BID-39106, CERTA-2010-AVI-141, CVE-2009-2277, CVE-2010-0686, CVE-2010-1137, CVE-2010-1193, TWSL2010-002, VIGILANCE-VUL-9543, VMSA-2010-0005.

Description of the vulnerability

The WebAccess (VMware Infrastructure Web Access) interface is used to administer virtual machines. It is impacted by four vulnerabilities.

An attacker can generate a Cross Site Scripting by using context data (context_vmdirect). [severity:2/4; BID-39106, CERTA-2010-AVI-141, CVE-2009-2277, TWSL2010-002]

An attacker can generate a Cross Site Scripting by using the name of virtual machines. [severity:2/4; BID-39104, CVE-2010-1137]

An attacker can use WebAccess, in order to redirect the victim to another site, for example to create a phishing attack. [severity:2/4; BID-39103, CVE-2010-0686]

An attacker can generate a Cross Site Scripting by using a JSON error message. [severity:2/4; BID-39105, CVE-2010-1193]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-3731

VMware: Cross Site Scripting via WebWorks Help

Synthesis of the vulnerability

An attacker can use the WebWorks Help in order to generate a Cross Site Scripting in VMware applications.
Impacted products: ESX, VMware Server, vCenter Server.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 16/12/2009.
Identifiers: CERTA-2009-AVI-548, CERTA-2010-AVI-107, CVE-2009-3731, VIGILANCE-VUL-9295, VMSA-2009-0017.

Description of the vulnerability

The WebWorks Help (wwhelp) format is used to create online help pages. It is included in several VMware applications:
 - VMware WebAccess (vCenter, ESX, VMware Server)
 - Lab Manager
 - Stage Manager

However, a Cross Site Scripting was announced in WebWorks Help. It also impacts VMware products.

An attacker can therefore invite the victim to access to a malicious url, in order to execute JavaScript code in the context of impacted VMware products.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2009-2267 CVE-2009-3733

VMware: two vulnerabilities

Synthesis of the vulnerability

An attacker can use two vulnerabilities of VMware products, in order to elevate his privileges, or to obtain a file.
Impacted products: VMware ACE, ESX, ESXi, VMware Player, VMware Server, VMware Workstation.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/10/2009.
Revision date: 30/10/2009.
Identifiers: BID-36841, BID-36842, CERTA-2009-AVI-464, CVE-2009-2267, CVE-2009-3733, VIGILANCE-VUL-9136, VMSA-2009-0010, VMSA-2009-0012, VMSA-2009-0015.

Description of the vulnerability

Two vulnerabilities were announced in VMware products.

A local attacker can use Virtual-8086 and generate a page fault, in order to obtain privileges of the guest system. [severity:2/4; BID-36841, CERTA-2009-AVI-464, CVE-2009-2267]

A network attacker can obtain a file from the host system. [severity:2/4; BID-36842, CVE-2009-3733]

An attacker can therefore elevate his privileges, or obtain a file.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2009-3707 CVE-2009-4811

VMware ACE, Player, Workstation: denial of service of vmware-authd

Synthesis of the vulnerability

An attacker can send a malicious authentication query to the vmware-authd service of VMware ACE, Player or Workstation in order to stop it.
Impacted products: VMware ACE, ESX, ESXi, VMware Player, VMware Server, VMware Workstation.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/10/2009.
Identifiers: BID-36630, CVE-2009-3707, CVE-2009-4811, VIGILANCE-VUL-9079, VMSA-2010-0007, VMSA-2010-0007.1.

Description of the vulnerability

The vmware-authd.exe authentication service of VMware ACE, Player or Workstation listens on port 912/tcp.

This service expects data like:
  USER user_name
  PASS password
The user name and the password are logged.

However, when the user name or the password contains the '%' character, a format string attack occurs.

A non authenticated attacker can therefore create a denial of service, and possibly execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2009-2698

Linux kernel: privilege elevation via udp_sendmsg

Synthesis of the vulnerability

A local attacker can use the MSG_MORE option on an UDP socket, in order to force the kernel to dereference a NULL pointer.
Impacted products: Debian, Linux, NLD, OES, openSUSE, RHEL, SLES, TurboLinux, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 24/08/2009.
Revision date: 25/08/2009.
Identifiers: 518034, BID-36108, CVE-2009-2698, DSA-1872-1, MDVSA-2011:051, RHSA-2009:1222-02, RHSA-2009:1223-02, RHSA-2009:1233-01, RHSA-2009:1457-01, RHSA-2009:1469-01, SUSE-SA:2009:046, SUSE-SU-2011:0928-1, TLSA-2009-28, VIGILANCE-VUL-8969, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5, VMSA-2010-0010.

Description of the vulnerability

The MSG_MORE option of the sendmsg() function on a UDP socket indicates that the next call to sendmsg() will contain data to be added in the same packet.

However, when this option is used, the udp_sendmsg() and udpv6_sendmsg() functions do not correctly handle the case where the queue is empty, which forces the usage of a NULL pointer.

A local attacker can therefore use the MSG_MORE option on an UDP socket, in order to force the kernel to stop.

A local attacker can also use this vulnerability with VIGILANCE-VUL-8953/VIGILANCE-VUL-8861 in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2009-1895

Linux kernel: privilege elevation via PER_CLEAR_ON_SETID

Synthesis of the vulnerability

A local attacker can use personalities in a suid root program in order to elevate his privileges.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, NLD, OES, openSUSE, RHEL, SLES, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 15/07/2009.
Revisions dates: 17/07/2009, 18/08/2009.
Identifiers: BID-35647, CVE-2009-1895, DSA-1844-1, DSA-1845-1, FEDORA-2009-10165, FEDORA-2009-8144, FEDORA-2009-8264, MDVSA-2009:289, MDVSA-2011:051, RHSA-2009:1193-01, RHSA-2009:1438-01, RHSA-2009:1540-01, RHSA-2009:1550-01, RHSA-2010:0079-01, SUSE-SA:2009:045, VIGILANCE-VUL-8861, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5, VMSA-2010-0010.

Description of the vulnerability

System calls (select(), poll(), etc.) and memory layout are different between systems. For example, a program conceived to use the select() of Solaris may not work with the Linux select() because of minor behavior changes.

Personalities (or execution domains) indicate how the kernel has to behave:
 - PER_LINUX: normal mode for Linux
 - PER_SOLARIS: emulate the Solaris kernel
 - PER_IRIX32: emulate the IRIX kernel
 - etc.

The PER_CLEAR_ON_SETID macro defines personalities related to setuid() and setgid() calls.

A process with the CAP_SYS_RAWIO capability is allowed to bypass the inferior limit defined by the vm.mmap_min_addr sysctl. A suid root process can therefore mmap memory pages with a low address. Moreover, as the PER_CLEAR_ON_SETID macro does not contain MMAP_PAGE_ZERO, it can even mmap the page zero.

A local attacker can therefore use a suid root program (such as pulseaudio) in order to mmap the page at address zero, and thus exploit a NULL pointer dereference.

This error cannot be directly exploited (it is similar to VIGILANCE-VUL-8953), but it can be used to exploit other vulnerabilities.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2009-2692

Linux kernel: privilege elevation via sock_sendpage, SOCKOPS_WRAP, proto_ops

Synthesis of the vulnerability

A local attacker can use some types of sockets, in order to obtain root privileges.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, Mandriva NF, NLD, OES, openSUSE, RHEL, Slackware, SLES, TurboLinux, ESX, ESXi, VMware Server, vCenter Server, VirtualCenter.
Severity: 2/4.
Consequences: administrator access/rights, denial of service on server.
Provenance: user shell.
Creation date: 14/08/2009.
Identifiers: 516949, BID-36038, CERTA-2009-AVI-337, CVE-2009-2692, DSA-1862-1, DSA-1864-1, DSA-1865-1, FEDORA-2009-10165, FEDORA-2009-8647, FEDORA-2009-8649, MDVSA-2009:205, MDVSA-2009:233, RHSA-2009:1233-01, RHSA-2009:1239-01, RHSA-2009:1239-02, RHSA-2009:1457-01, RHSA-2009:1469-01, SSA:2009-230-01, SSA:2009-231-01, SUSE-SA:2009:045, SUSE-SR:2009:015, SUSE-SU-2011:0928-1, TLSA-2009-28, VIGILANCE-VUL-8950, VMSA-2009-0016, VMSA-2009-0016.1, VMSA-2009-0016.2, VMSA-2009-0016.3, VMSA-2009-0016.4, VMSA-2009-0016.5, VMSA-2010-0010.

Description of the vulnerability

Each socket type is associated to a proto_ops structure, which indicates functions implementing accept(), bind(), etc. When a socket type does not support a function, it has to point to sock_no_accept(). The SOCKOPS_WRAP macro initializes these function pointers. However, the SOCKOPS_WRAP macro does not initialize the sendpage field of the proto_ops structure. Impacted protocols are PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25, PF_AX25, PF_BLUETOOTH, PF_IUCV, PF_INET6 (IPPROTO_SCTP), PF_PPPOX and PF_ISDN.

Moreover, the sock_sendpage() function does not check if the pointer is invalid. It thus calls the function at the indicated null address, which stops the system. However, if the VIGILANCE-VUL-8861 vulnerability is not corrected, an attacker can mmap the memory address zero and store there a malicious function. This function then runs with kernel privileges.

A local attacker can thus call a function (such as sendfile()) which calls sock_sendpage() on some types of sockets, in order to obtain root privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.