Vulnerabilities > CVE-2011-1787 - Race Condition vulnerability in VMWare products
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Race condition in mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1 allows guest OS users to gain privileges on the guest OS by mounting a filesystem on top of an arbitrary directory.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Windows NASL id VMWARE_MULTIPLE_VMSA_2011_0009.NASL description A VMware product (Player or Workstation) detected on the remote host has multiple vulnerabilities in the Host Guest File System : - An attacker with access to a Guest operating system can determine if a path exists in the Host filesystem and whether it last seen 2020-06-01 modified 2020-06-02 plugin id 54996 published 2011-06-08 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54996 title VMware Products Multiple Vulnerabilities (VMSA-2011-0009) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(54996); script_version("1.10"); script_cvs_date("Date: 2019/09/24 15:02:54"); script_cve_id("CVE-2011-1787", "CVE-2011-2145", "CVE-2011-2146"); script_bugtraq_id(48098); script_xref(name:"VMSA", value:"2011-0009"); script_name(english:"VMware Products Multiple Vulnerabilities (VMSA-2011-0009)"); script_summary(english:"Checks vulnerable versions of VMware products"); script_set_attribute( attribute:"synopsis", value: "The remote host has a virtualization application affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "A VMware product (Player or Workstation) detected on the remote host has multiple vulnerabilities in the Host Guest File System : - An attacker with access to a Guest operating system can determine if a path exists in the Host filesystem and whether it's a file or a directory regardless of permissions. (CVE-2011-2146) - A race condition in mount.vmhgfs may allow an attacker with access to a Guest to mount on arbitrary directories in the Guest filesystem and escalate their privileges if they can control the contents of the mounted directory. (CVE-2011-1787) - A procedural error allows an attacker with access to a Solaris or FreeBSD Guest operating system to gain write access to an arbitrary file in the Guest filesystem. (CVE-2011-2145) These vulnerabilities only affect non-Windows guest operating systems." ); script_set_attribute(attribute:"see_also",value:"http://www.vmware.com/security/advisories/VMSA-2011-0009.html"); script_set_attribute(attribute:"see_also",value:"http://lists.vmware.com/pipermail/security-announce/2011/000141.html"); script_set_attribute( attribute:"solution", value: "Upgrade to : - VMware Workstation 7.1.4 or later. - VMware Player 3.1.4 or later. In addition to patching, VMware Tools must be updated on all non- Windows guest VMs in order to completely mitigate certain vulnerabilities. Refer to the VMware advisory for more information." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date",value:"2011/06/02"); script_set_attribute(attribute:"patch_publication_date",value:"2011/06/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/08"); script_set_attribute(attribute:"plugin_type",value:"local"); script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:workstation"); script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:player"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_dependencies("vmware_workstation_detect.nasl", "vmware_player_detect.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports("VMware/Workstation/Version", "VMware/Player/Version"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("smb_func.inc"); port = kb_smb_transport(); report = ""; # Check for VMware Workstation version = get_kb_item("VMware/Workstation/Version"); if (version) { fix = '7.1.4'; if (version =~ '^7\\.1' && ver_compare(ver:version, fix:fix, strict:FALSE) == -1) { report += '\n Product : VMware Workstation'+ '\n Installed version : '+version+ '\n Fixed version : ' + fix + '\n'; } } # Check for VMware Player version = get_kb_item("VMware/Player/Version"); if (version) { fix = '3.1.4'; if (version =~ '^3\\.1' && ver_compare(ver:version, fix:fix, strict:FALSE) == -1) { report += '\n Product : VMware Player'+ '\n Installed version : '+version+ '\n Fixed version : ' + fix + '\n'; } } if (!report) exit(0, "The host is not affected."); if (report_verbosity > 0) security_hole(port:port, extra:report); else security_hole();NASL family SuSE Local Security Checks NASL id SUSE_11_4_LIBVMTOOLS-DEVEL-110608.NASL description This update of open-vm-tools fixes the following vulnerabilities which allowed an attacker to gain root privileges within the guest system : - CVE-2011-1681 - CVE-2011-2146 - CVE-2011-1787 - CVE-2011-2145 last seen 2020-06-01 modified 2020-06-02 plugin id 75932 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75932 title openSUSE Security Update : libvmtools-devel (openSUSE-SU-2011:0617-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update libvmtools-devel-4693. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75932); script_version("1.4"); script_cvs_date("Date: 2019/10/25 13:36:42"); script_cve_id("CVE-2011-1681", "CVE-2011-1787", "CVE-2011-2145", "CVE-2011-2146"); script_name(english:"openSUSE Security Update : libvmtools-devel (openSUSE-SU-2011:0617-1)"); script_summary(english:"Check for the libvmtools-devel-4693 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update of open-vm-tools fixes the following vulnerabilities which allowed an attacker to gain root privileges within the guest system : - CVE-2011-1681 - CVE-2011-2146 - CVE-2011-1787 - CVE-2011-2145" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=673267" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=690491" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2011-06/msg00018.html" ); script_set_attribute( attribute:"solution", value:"Update the affected libvmtools-devel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvmtools-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvmtools0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvmtools0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-gui"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-gui-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-desktop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-desktop-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-pae-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4"); script_set_attribute(attribute:"patch_publication_date", value:"2011/06/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.4", reference:"libvmtools-devel-2011.05.27-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"libvmtools0-2011.05.27-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"libvmtools0-debuginfo-2011.05.27-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-2011.05.27-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-debuginfo-2011.05.27-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-debugsource-2011.05.27-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-gui-2011.05.27-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-gui-debuginfo-2011.05.27-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-default-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-default-debuginfo-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-desktop-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-desktop-debuginfo-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-pae-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++; if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-pae-debuginfo-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "open-vm-tools"); }NASL family Misc. NASL id VMWARE_VMSA-2011-0009_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Linux Kernel in the do_anonymous_page() function due to improper separation of the stack and the heap. An attacker can exploit this to execute arbitrary code. (CVE-2010-2240) - A packet filter bypass exists in the Linux Kernel e1000 driver due to processing trailing payload data as a complete frame. A remote attacker can exploit this to bypass packet filters via a large packet with a crafted payload. (CVE-2009-4536) - A use-after-free error exists in the Linux Kernel when IPV6_RECVPKTINFO is set on a listening socket. A remote attacker can exploit this, via a SYN packet while the socket is in a listening (TCP_LISTEN) state, to cause a kernel panic, resulting in a denial of service condition. (CVE-2010-1188) - An array index error exists in the Linux Kernel in the gdth_read_event() function. A local attacker can exploit this, via a negative event index in an IOCTL request, to cause a denial of service condition. (CVE-2009-3080) - A race condition exists in the VMware Host Guest File System (HGFS) that allows guest operating system users to gain privileges by mounting a filesystem on top of an arbitrary directory. (CVE-2011-1787) - A flaw exists in the VMware Host Guest File System (HGFS) that allows a Solaris or FreeBSD guest operating system user to modify arbitrary guest operating system files. (CVE-2011-2145) - A flaw exists in the VMware Host Guest File System (HGFS) that allows guest operating system users to disclose host operating system files and directories. (CVE-2011-2146) - A flaw exists in the bundled Tom Sawyer GET Extension Factory that allows a remote attacker to cause a denial of service condition or the execution of arbitrary code via a crafted HTML document. (CVE-2011-2217) last seen 2020-06-01 modified 2020-06-02 plugin id 89678 published 2016-03-04 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89678 title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2011-0009) (remote check) NASL family SuSE Local Security Checks NASL id SUSE_11_3_LIBVMTOOLS-DEVEL-110607.NASL description This update of open-vm-tools fixes the following vulnerabilities which allowed an attacker to gain root privileges within the guest system : - CVE-2011-1681 - CVE-2011-2146 - CVE-2011-1787 - CVE-2011-2145 last seen 2020-06-01 modified 2020-06-02 plugin id 75626 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75626 title openSUSE Security Update : libvmtools-devel (openSUSE-SU-2011:0617-1) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2011-0009.NASL description a. VMware vmkernel third-party e1000(e) Driver Packet Filter Bypass There is an issue in the e1000(e) Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. b. ESX third-party update for Service Console kernel This update for the console OS kernel package resolves four security issues. 1) IPv4 Remote Denial of Service An remote attacker can achieve a denial of service via an issue in the kernel IPv4 code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1188 to this issue. 2) SCSI Driver Denial of Service / Possible Privilege Escalation A local attacker can achieve a denial of service and possibly a privilege escalation via a vulnerability in the Linux SCSI drivers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3080 to this issue. 3) Kernel Memory Management Arbitrary Code Execution A context-dependent attacker can execute arbitrary code via a vulnerability in a kernel memory handling function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2240 to this issue. 4) e1000 Driver Packet Filter Bypass There is an issue in the Service Console e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. c. Multiple vulnerabilities in mount.vmhgfs This patch provides a fix for the following three security issues in the VMware Host Guest File System (HGFS). None of these issues affect Windows based Guest Operating Systems. 1) Mount.vmhgfs Information Disclosure Information disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2146 to this issue. 2) Mount.vmhgfs Race Condition Privilege escalation via a race condition that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1787 to this issue. 3) Mount.vmhgfs Privilege Escalation Privilege escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2145 to this issue. VMware would like to thank Dan Rosenberg for reporting these issues. d. VI Client ActiveX vulnerabilities VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user last seen 2020-06-01 modified 2020-06-02 plugin id 54968 published 2011-06-06 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54968 title VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues NASL family MacOS X Local Security Checks NASL id MACOSX_FUSION_3_1_3.NASL description The version of VMware Fusion installed on the Mac OS X host is earlier than 3.1.3. As such, it is reportedly affected by the following three security vulnerabilities : - An attacker with access to a Guest operating system can determine if a path exists in the Host filesystem and whether it last seen 2020-06-01 modified 2020-06-02 plugin id 54974 published 2011-06-06 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54974 title VMware Fusion < 3.1.3 (VMSA-2011-0009 / VMSA-2011-0011)