Vulnerabilities > CVE-2009-1147 - Remote vulnerability in VMware Hosted Products VMSA-2009-0005

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
vmware
nessus

Summary

Unspecified vulnerability in vmci.sys in the Virtual Machine Communication Interface (VMCI) in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 2.0.x before 2.0.1 build 156745 allows local users to gain privileges via unknown vectors.

Vulnerable Configurations

Part Description Count
Application
Vmware
83

Nessus

  • NASL familyWindows
    NASL idVMWARE_MULTIPLE_VMSA_2009_0005.NASL
    descriptionVMware products installed on the remote host are reportedly affected by multiple vulnerabilities : - A vulnerability in the guest virtual device driver could allow an attacker to use the guest operating system to crash the host operating system. (CVE-2008-3761) - A denial of service vulnerability affects an unspecified IOCTL contained in the
    last seen2020-06-01
    modified2020-06-02
    plugin id36117
    published2009-04-09
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36117
    titleVMware Products Multiple Vulnerabilities (VMSA-2009-0005/VMSA-2009-0007)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2009-0005.NASL
    descriptiona. Denial of service guest to host vulnerability in a virtual device A vulnerability in a guest virtual device driver, could allow a guest operating system to crash the host and consequently any virtual machines on that host. VMware would like to thank Andrew Honig of the Department of Defense for reporting this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-4916 to this issue. b. Windows-based host denial of service vulnerability in hcmon.sys A vulnerability in an ioctl in hcmon.sys could be used to create a denial of service on a Windows-based host. This issue can only be exploited by a privileged Windows account. VMware would like to thank Nikita Tarakanov for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-1146 to this issue. Note: newly released hosted products (see table in this section) address another potential denial of service in hcmon.sys as well. Also this issue can only be exploited by a privileged Windows account. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3761 to this issue. c. A VMCI privilege escalation on Windows-based hosts or Windows- based guests. The Virtual Machine Communication Interface (VMCI) is an infrastructure that provides fast and efficient communication between a virtual machine and the host operating system and between two or more virtual machines on the same host. A vulnerability in vmci.sys could allow privilege escalation on Windows-based machines. This could occur on Windows-based hosts or inside Windows-based guest operating systems. Current versions of ESX do not support the VMCI interface and hence they are not affected by this vulnerability. Note: Installing the new hosted releases will not remediate the issue on Windows-based guests. The VMware Tools packages will need to be updated on each Windows-based guest followed by a reboot of the guest system. VMware would like to thank Nikita Tarakanov for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-1147 to this issue. Refer to VMware KB article 1009826 on the steps that are needed to remediate this vulnerability on Windows-based hosts. This KB article is found at http://kb.vmware.com/kb/1009826. d. VNnc Codec Heap Overflow vulnerabilities The VNnc Codec assists in Record and Replay sessions. Record and Replay record the dynamic virtual machine state over a period of time. Two heap overflow vulnerabilities could allow a remote attacker to execute arbitrary code on VMware hosted products. For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file. VMware would like to thank Aaron Portnoy from TippingPoint DVLabs for reporting these issues to us. TippingPoint has issued the following identifiers: ZDI-CAN-435, ZDI-CAN-436. The Common Vulnerabilities and Exposures project (cve.mitre.org) has has assigned the names CVE-2009-0909 and CVE-2009-0910 to these issues. e. ACE shared folders vulnerability The VMware Host Guest File System (HGFS) shared folders feature allows users to transfer data between a guest operating system and the non-virtualized host operating system that contains it. A vulnerability in ACE shared folders could allow a previously disabled and not removed shared folder in the guest to be enabled by a non ACE Administrator. VMware would like to thank Emmanouel Kellinis, KPMG London, penetration testing team for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has has assigned the name CVE-2009-0908 to this issue. f. A remote denial of service vulnerability in authd for Windows based hosts. A vulnerability in vmware-authd.exe could cause a denial of service condition on Windows hosts. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0177 to this issue. g. VI Client Retains VirtualCenter Server Password in Memory After logging in to VirtualCenter Server with VI Client, the password for VirtualCenter Server might be present in the memory of the VI Client. Note: This vulnerability is present in VI Client and in order to remediate the vulnerability, you will need to replace VI Client with a fixed version (see below). VMware would like to thank Craig Marshall for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0518 to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id40390
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40390
    titleVMSA-2009-0005 : VMware Hosted products, VI Client and patches for ESX and ESXi resolve multiple security issues

Oval

accepted2009-11-09T04:00:17.917-05:00
classvulnerability
contributors
nameMichael Wood
organizationHewlett-Packard
definition_extensions
  • commentVMWare ESX Server 3.0.3 is installed
    ovaloval:org.mitre.oval:def:6026
  • commentVMWare ESX Server 3.0.2 is installed
    ovaloval:org.mitre.oval:def:5613
  • commentVMware ESX Server 3.5.0 is installed
    ovaloval:org.mitre.oval:def:5887
descriptionUnspecified vulnerability in vmci.sys in the Virtual Machine Communication Interface (VMCI) in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 2.0.x before 2.0.1 build 156745 allows local users to gain privileges via unknown vectors.
familyunix
idoval:org.mitre.oval:def:5471
statusaccepted
submitted2009-09-23T15:39:02.000-04:00
titleVMware Windows 'vmci.sys' Driver Lets Local Users Gain Elevated Privileges
version4

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 34373 CVE(CAN) ID: CVE-2008-4916,CVE-2008-3761,CVE-2009-1146,CVE-2009-1147,CVE-2009-0910,CVE-2009-0909,CVE-2009-0908,CVE-2009-0177,CVE-2009-0518 VMWare是一款虚拟PC软件,允许在一台机器上同时运行两个或多个Windows、DOS、LINUX系统。 VMWare的VMSA-2009-0005更新修复了多个安全漏洞,本地或远程攻击者可以利用这些漏洞绕过某些安全限制、获得权限提升或导致拒绝服务。 1) 如果远程攻击者在TCP 912端口上向vmware-authd守护程序发送了超长的USER字符串的话,就会终止vmware-authd进程,本地非特权用户无法访问虚拟机。 2) vmci.sys驱动的IOCTL处理器没有正确地验证Irp对象相关的缓冲区数据,拥有管理权限的本地用户可以在host或guest系统上获得SYSTEM权限。 3) VMnc codec(vmnc.dll)在处理3以上类型的RFB消息时的错误可能允许特制的视频文件触发内存破坏。 4) VMnc codec(vmnc.dll)没有正确地处理ICM_DECOMPRESS驱动消息,特制RIFF块中所定义的超长dwSize元素可以触发堆溢出。 5) ACE共享文件夹功能中的错误可能导致无需管理权限便在guest上启用共享文件夹。 VMWare Workstation 6.5.x VMWare Workstation 6.0.x VMWare Workstation 5.5.x VMWare ACE 2.5.x VMWare ACE 2.0.x VMWare Player 2.5.x VMWare Player 2.0.x VMWare Server 2.x VMWare Server 1.x VMWare ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://lists.vmware.com/pipermail/security-announce/2009/000054.html target=_blank rel=external nofollow>http://lists.vmware.com/pipermail/security-announce/2009/000054.html</a>
    idSSV:5025
    last seen2017-11-19
    modified2009-04-10
    published2009-04-10
    reporterRoot
    titleVMWare VMSA-2009-0005更新修复多个安全漏洞
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 34373 CVE ID:CVE-2008-4916 CVE-2008-3761 CVE-2009-1146 CVE-2009-1147 CVE-2009-0910 CVE-2009-0909 CVE-2009-0908 CVE-2009-0177 CVE-2009-0518 CNCVE ID:CNCVE-20084916 CNCVE-20083761 CNCVE-20091146 CNCVE-20091147 CNCVE-20090910 CNCVE-20090909 CNCVE-20090908 CNCVE-20090177 CNCVE-20090518 Vmware产品存在多个安全漏洞,具体如下: a.客户端虚拟设备驱动中一个漏洞,允许客户操作系统使宿主崩溃,并影响宿主上的任意虚拟机器。 b.hcmon.sys中存在拒绝服务攻击,hcmon.sys中的ioctl可用于对基于windows的宿主进行拒绝服务攻击。需要windows帐户利用此漏洞。 c.基于windows的宿主或者客户机存在VMCI特权提升。虚拟机通信接口(VMCI)是为虚拟机和宿主操作系统及同意宿主中两个或多个虚拟机间提供快速有效通信的架构。vmci.sys存在漏洞,允许基于windows的机器提升特权。当前ESX版本不支持VMCI接口,不受此漏洞影响。 d.VNnc codec存在堆溢出漏洞,VNnc Codec用于记录和重播会话,记录和重播用于记录一定时间内动态虚拟机状态。 其中存在两个堆溢出漏洞允许远程攻击者在VMware宿主产品上执行任意代码。攻击者要成功个利用漏洞必须诱使用户访问恶意WEB页或打开恶意视频文件。 e.VMware Host Guest File System (HGFS)共享文件夹功能允许用户在客户机操作系统和非虚拟化宿主操作系统进行数据传送。ACE共享文件夹存在漏洞允许之前关闭并没有删除的共享文件夹被非ACE管理员打开。 f.vmware-authd.exe存在漏洞可导致拒绝服务攻击。 g.使用VI客户端登录VirtualCenter服务器后,VirtualCenter Server的密码信息会存在于VI客户端内存中,可导致敏感信息泄漏。 VMWare Workstation for Linux 0 VMWare Workstation 6.5.1 VMWare Workstation 6.5 build 118166 VMWare Workstation 6.0.5 build 109488 VMWare Workstation 6.0.5 VMWare Workstation 6.0.4 build 93057 VMWare Workstation 6.0.4 VMWare Workstation 6.0.3 Build 80004 VMWare Workstation 6.0.3 VMWare Workstation 6.0.2 VMWare Workstation 6.0.1 VMWare Server 1.0.8 build 126538 VMWare Server 1.0.7 build 108231 VMWare Server 1.0.7 VMWare Server 1.0.6 build 91891 VMWare Server 1.0.6 VMWare Server 1.0.5 Build 80187 VMWare Server 1.0.5 VMWare Server 1.0.4 VMWare Server 1.0.3 VMWare Server 1.0.2 VMWare Player 2.5.1 VMWare Player 2.5 build 118166 VMWare Player 2.0.5 build 109488 VMWare Player 2.0.5 VMWare Player 2.0.4 build 93057 VMWare Player 2.0.4 VMWare Player 2.0.3 Build 80004 VMWare Player 2.0.2 VMWare Player 2.0.1 VMWare Player 2.0 VMWare Player 1.0.9 build 126128 VMWare Player 1.0.8 build 108000 VMWare Player 1.0.8 VMWare Player 1.0.7 build 91707 VMWare Player 1.0.6 Build 80404 VMWare Player 1.0.6 VMWare Player 1.0.5 VMWare Player 1.0.4 VMWare Player 1.0.3 VMWare Player 1.0.2 VMWare Player 1.0.1 Build 19317 VMWare ESXi Server 3.5 VMWare ESX Server 3.0.3 VMWare ESX Server 3.0.2 VMWare ESX Server 3.5 VMWare ACE 2.5.1 VMWare ACE 2.5 build 118166 VMWare ACE 2.0.5 build 109488 VMWare ACE 2.0.5 VMWare ACE 2.0.3 VMWare ACE 2.0.2 build 93057 VMWare ACE 2.0.2 VMWare ACE 2.0.1 VMWare ACE 2.0 VMWare ACE 1.0.8 build 125922 VMWare ACE 1.0.7 build 108880 VMWare ACE 1.0.7 VMWare ACE 1.0.5 VMWare ACE 1.0.4 VMWare ACE 1.0.3 VMWare ACE 1.0.2 Build 19206 VMWare ACE 1.0.2 VMWare ACE 1.0 VMWare ACE 1.0.5 build 79846 可参考如下升级程序: VMware Workstation 6.5.2 ------------------------ <a href=www.vmware.com/download/ws/ target=_blank rel=external nofollow>www.vmware.com/download/ws/</a> Release notes: <a href=www.vmware.com/support/ws65/doc/releasenotes_ws652.html target=_blank rel=external nofollow>www.vmware.com/support/ws65/doc/releasenotes_ws652.html</a> For Windows Workstation for Windows 32-bit and 64-bit Windows 32-bit and 64-bit .exe md5sum: 8336586b9f9e5180d5279a0b988e82a6 sha1sum: ccdb6bcb867638e8f4f493bc02c6f70c5ebbb88e For Linux Workstation for Linux 32-bit Linux 32-bit .rpm md5sum: 69b039c848f6b2c94948928d8e9057bb sha1sum: 37ca77ef550db932cf7b078fcbd6fa0155e3411e Workstation for Linux 32-bit Linux 32-bit .bundle md5sum: 5d4ccf9c23701d09a671f586a9bb4190 sha1sum: d508111adf479d82049c323b1d0b82200c0ab4dd Workstation for Linux 64-bit Linux 64-bit .rpm md5sum: 19387416e3b597b901dfe84e4a2bcd97 sha1sum: 0726518abc9a77051d991af570774bae1625ff78 Workstation for Linux 64-bit Linux 64-bit .bundle md5sum: 56dfc3adcf96701f440b19a8cf06c3df sha1sum: 04aa442a2b9bf2c67d6266a410b20ef146b93bef VMware Player 2.5.2 ------------------- <a href=www.vmware.com/download/player/ target=_blank rel=external nofollow>www.vmware.com/download/player/</a> Release notes: <a href=www.vmware.com/support/player25/doc/releasenotes_player252.html target=_blank rel=external nofollow>www.vmware.com/support/player25/doc/releasenotes_player252.html</a> Player for Windows binary download3.vmware.com/software/vmplayer/VMware-player-2.5.2-156735.exe md5sum: 01356d729e9b031c8904e9560a02c469 Player for Linux (.rpm) download3.vmware.com/software/vmplayer/VMware-Player-2.5.2-156735.i386.rpm md5sum: aa047047b72de7f4b53d9c2128b53bec Player for Linux (.bundle) download3.vmware.com/software/vmplayer/VMware-Player-2.5.2-156735.i386.bundle md5sum: bd51e8f8ef2417080c6d734f6ea9fb87 VMware Player 2.5.2 - 64-bit (.rpm) download3.vmware.com/software/vmplayer/VMware-Player-2.5.2-156735.x86_64.rpm md5sum: 5b488b97b5091d3980eb74ec0a5c065b VMware Player 2.5.2 - 64-bit (.bundle) download3.vmware.com/software/vmplayer/VMware-Player-2.5.2-156735.x86_64.bundle md5sum: 25254cd60c4063c2c68a8bf50c2c4869 VMware ACE 2.5.2 ---------------- <a href=www.vmware.com/download/ace/ target=_blank rel=external nofollow>www.vmware.com/download/ace/</a> Release notes: <a href=www.vmware.com/support/ace25/doc/releasenotes_ace252.html target=_blank rel=external nofollow>www.vmware.com/support/ace25/doc/releasenotes_ace252.html</a> ACE Management Server Virtual Appliance AMS Virtual Appliance .zip md5sum: 430ff7792d9d490d1678fc22b4c62121 sha1sum: 98b74e0dba4214b055c95ccea656bfa2731c3fee VMware ACE for Windows 32-bit and 64-bit Windows 32-bit and 64-bit .exe md5sum: 8336586b9f9e5180d5279a0b988e82a6 ACE Management Server for Windows Windows .exe md5sum: 44918519a7bac2501b211c9825ed8268 sha1sum: 97655c824815f7c4e25f6940c708f835ab616da9 ACE Management Server for SUSE Enterprise Linux 9 SLES 9 .rpm md5sum: 7fcb0409474c7e81accc90f25d80b00e sha1sum: 385b254930dd6b8c53e3c805653c1fa1b07a6161 ACE Management Server for Red Hat Enterprise Linux 4 RHEL 4 .rpm md5sum: 745e3115f8557fa04c2ddaf25320a911 sha1sum: ef75d572325a32a7582dbb4c352541978d3cebeb VMware Server 2.0.1 ------------------- <a href=www.vmware.com/download/server/ target=_blank rel=external nofollow>www.vmware.com/download/server/</a> Release notes: <a href=www.vmware.com/support/server2/doc/releasenotes_vmserver201.html target=_blank rel=external nofollow>www.vmware.com/support/server2/doc/releasenotes_vmserver201.html</a> For Windows VMware Server 2 Version 2.0.1 | 156745 - 03/31/09 507 MB EXE image VMware Server 2 for Windows Operating Systems. A master installer file containing all Windows components of VMware Server. md5sum: d0eefaa79e42d13a693c4d732a460ba4 VIX API 1.6 for Windows. Version 1.6.2 | 156745 - 03/31/09 37 MB EXE image md5sum: ad531ed3c37c0a50fb915981f83ca133 For Linux VMware Server 2 for Linux Operating Systems. Version 2.0.1 | 156745 - 03/31/09 465 MB RPM image md5sum: eb42331bbd9be30848826b8cab73e0ca VMware Server 2 for Linux Operating Systems. Version 2.0.1 | 156745 - 03/31/09 466 MB TAR image md5sum: be96bc1696f4cef67755bfd2553ce233 VMware Server 2 for Linux Operating Systems 64-bit version. Version 2.0.1 | 156745 - 03/31/09 434 MB RPM image md5sum: 697a792c70d50e98a347c06b323bd20b The core application needed to run VMware Server 2, 64-bit version. Version 2.0.1 | 156745 - 03/31/09 436 MB TAR image md5sum: f40498229772910d6a6788b7803f9c38 VIX API 1.6 for Linux. Version 1.6.2 | 156745 - 03/31/09 17 MB TAR image md5sum: 2ef6174b90cdd9a2832b57dbe94cfbb1 64-bit VIX API 1.6 for Linux. Version 1.6.2 | 156745 - 03/31/09 21 MB TAR image md5sum: 454aeba273f9a89c578223c95b262323 VMware Server 1.0.9 ------------------- <a href=www.vmware.com/download/server/ target=_blank rel=external nofollow>www.vmware.com/download/server/</a> Release notes: <a href=www.vmware.com/support/server/doc/releasenotes_server.html target=_blank rel=external nofollow>www.vmware.com/support/server/doc/releasenotes_server.html</a> VMware Server for Windows 32-bit and 64-bit download3.vmware.com/software/vmserver/VMware-server-installer-1.0.9-156507.exe md5sum: 8c650f8a0a0521b69c6aba00d910cfb9 VMware Server Windows client package download3.vmware.com/software/vmserver/VMware-server-win32-client-1.0.9-156507.zip md5sum: c83e673f7422a4f3edaf7d9337cf5d6d VMware Server for Linux download3.vmware.com/software/vmserver/VMware-server-1.0.9-156507.tar.gz md5sum: ff4b57588514c83b1a828e3b19843ad2 VMware Server for Linux rpm download3.vmware.com/software/vmserver/VMware-server-1.0.9-156507.i386.rpm md5sum: c8fc9e9f948f2807b9f8bfb3ca318f36 Management Interface download3.vmware.com/software/vmserver/VMware-mui-1.0.9-156507.tar.gz md5sum: dbf99faef8bd26e173cf2514d7bea449 VMware Server Linux client package download3.vmware.com/software/vmserver/VMware-server-linux-client-1.0.9-156507.zip md5sum: 7e76a481408454a747bb4d076a6e2524 VirtualCenter ------------- VMware VirtualCenter 2.5 Update 4 <a href=www.vmware.com/download/download.do target=_blank rel=external nofollow>www.vmware.com/download/download.do</a> DVD iso image md5sum: 4304334ed7662b6a43646e6dde0956d2 Zip file md5sum: 1306cb9b25e28a06bab84257d7cbf38f Release Notes <a href=www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html target=_blank rel=external nofollow>www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html</a> ESXi ---- ESXi 3.5 patch ESXe350-200811401-O-SG (guest virtual device driver) download3.vmware.com/software/vi/ESXe350-200811401-O-SG.zip md5sum: e895c8cb0d32b722d7820d0214416092 kb.vmware.com/kb/1007508 ESXi 3.5 patch ESXe350-200903201-O-UG (VI Client) download3.vmware.com/software/vi/ESXe350-200903201-O-UG.zip md5sum: 45632da28812837bb00cee86af85b8a5 kb.vmware.com/kb/1007992 NOTES: ESXi 3.5 patch ESXe350-200903201-O-UG supercedes ESXe350-200811401-O-SG The three ESXi patches for Firmware &quot;I&quot;, VMware Tools &quot;T,&quot; and the VI Client &quot;C&quot; are contained in a single offline &quot;O&quot; download file. ESX --- ESX 3.5 patch ESX350-200811401-SG (guest virtual device driver) download3.vmware.com/software/vi/ESX350-200811401-SG.zip md5sum: 988042ce20ce2381216fbe1862c3e66d kb.vmware.com/kb/1007501 ESX 3.5 patch ESX350-200903201-UG (VI Client) download3.vmware.com/software/vi/ESX350-200903201-UG.zip md5sum: 650fa096cf270ec58d38e9ff41c661aa kb.vmware.com/kb/1007971 ESX 3.0.3 patch ESX303-200811401-BG (guest virtual device driver) download3.vmware.com/software/vi/ESX303-200811401-BG.zip md5sum: 26bf687a3483951d1f14ab66edf1d196 kb.vmware.com/kb/1006986 ESX 3.0.2 patch ESX-1006980 (guest virtual device driver) download3.vmware.com/software/vi/ESX-1006980.tgz md5sum: 5e73f1585fea3ee770b2df2b94e73ca4 kb.vmware.com/kb/1006980
    idSSV:5005
    last seen2017-11-19
    modified2009-04-07
    published2009-04-07
    reporterRoot
    titleVMware宿主产品VMSA-2009-0005多个远程漏洞