Vulnerabilities > CVE-2011-1789 - Cryptographic Issues vulnerability in VMWare Esx, Esxi and Vcenter
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The self-extracting installer in the vSphere Client Installer package in VMware vCenter 4.0 before Update 3 and 4.1 before Update 1, VMware ESXi 4.x before 4.1 Update 1, and VMware ESX 4.x before 4.1 Update 1 does not have a digital signature, which might make it easier for remote attackers to spoof the software distribution via a Trojan horse installer.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Misc. NASL id VMWARE_VMSA-2011-0008_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities : - A directory traversal vulnerability exists that allows a remote attacker to read arbitrary files. (CVE-2011-0426) - An information disclosure vulnerability exists due to insecure storage of SOAP sesion IDs in a log file. A local attacker can exploit this to disclose administrative user IDs. (CVE-2011-1788) - A digital signature verification weakness exists in the self-extracting installer in the vSphere Client Installer package. A remote attacker can exploit this to spoof the software distribution via a Trojan horse installer. (CVE-2011-1789) last seen 2020-06-01 modified 2020-06-02 plugin id 89677 published 2016-03-04 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89677 title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2011-0008) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(89677); script_version("1.3"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id( "CVE-2011-0426", "CVE-2011-1788", "CVE-2011-1789" ); script_bugtraq_id( 47735, 47742, 47744 ); script_xref(name:"VMSA", value:"2011-0008"); script_name(english:"VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2011-0008) (remote check)"); script_summary(english:"Checks the ESX / ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESX / ESXi host is missing a security-related patch."); script_set_attribute(attribute:"description", value: "The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities : - A directory traversal vulnerability exists that allows a remote attacker to read arbitrary files. (CVE-2011-0426) - An information disclosure vulnerability exists due to insecure storage of SOAP sesion IDs in a log file. A local attacker can exploit this to disclose administrative user IDs. (CVE-2011-1788) - A digital signature verification weakness exists in the self-extracting installer in the vSphere Client Installer package. A remote attacker can exploit this to spoof the software distribution via a Trojan horse installer. (CVE-2011-1789)"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2011-0008"); script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2011/000137.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the vendor advisory that pertains to ESX version 4.0 or ESXi version 4.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/05"); script_set_attribute(attribute:"patch_publication_date", value:"2011/05/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); script_require_ports("Host/VMware/vsphere"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); port = get_kb_item_or_exit("Host/VMware/vsphere"); esx = ''; if ("ESX" >!< rel) audit(AUDIT_OS_NOT, "VMware ESX/ESXi"); extract = eregmatch(pattern:"^(ESXi?) (\d\.\d).*$", string:ver); if (isnull(extract)) audit(AUDIT_UNKNOWN_APP_VER, "VMware ESX/ESXi"); else { esx = extract[1]; ver = extract[2]; } # fixed build numbers are the same for ESX and ESXi fixes = make_array( "4.0", "360236" ); fix = FALSE; fix = fixes[ver]; # get the build before checking the fix for the most complete audit trail extract = eregmatch(pattern:'^VMware ESXi?.* build-([0-9]+)$', string:rel); if (isnull(extract)) audit(AUDIT_UNKNOWN_BUILD, "VMware " + esx, ver); build = int(extract[1]); # if there is no fix in the array, fix is FALSE if (!fix) audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build); if (build < fix) { report = '\n Version : ' + esx + " " + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fix + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_WARNING); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build);NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2011-0008.NASL description a. vCenter Server Directory Traversal vulnerability A directory traversal vulnerability allows an attacker to remotely retrieve files from vCenter Server without authentication. In order to exploit this vulnerability, the attacker will need to have access to the network on which the vCenter Server host resides. In case vCenter Server is installed on Windows 2008 or Windows 2008 R2, the security vulnerability is not present. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-0426 to this issue. b. vCenter Server SOAP ID disclosure The SOAP session ID can be retrieved by any user that is logged in to vCenter Server. This might allow a local unprivileged user on vCenter Server to elevate his or her privileges. VMware would like to thank Claudio Criscione for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1788 to this issue. c. vSphere Client Installer package not digitally signed The digitally signed vSphere Client installer is packaged in a self-extracting installer package which is not digitally signed. As a result, when you run the install package file to extract and start installing, the vSphere Client installer may display a Windows warning message stating that the publisher of the install package cannot be verified. The vSphere Client Installer package of the following product versions is now digitally signed : vCenter Server 4.1 Update 1 vCenter Server 4.0 Update 3 ESXi 4.1 Update 1 ESXi 4.0 with patch ESXi400-201103402-SG ESX 4.1 Update 1 ESX 4.0 with patch ESX400-201103401-SG An install or update of the vSphere Client from these releases will not present a security warning from Windows. Note: typically the vSphere Client will request an update if the existing client is pointed at a newer version of vCenter or ESX. VMware Knowledge Base article 1021404 explains how the unsigned install package can be obtained in an alternative, secure way for an environment with VirtualCenter 2.5, ESXi/ESX 3.5 or ESX 3.0.3. VMware would like to thank Claudio Criscione for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1789 to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 53840 published 2011-05-09 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53840 title VMSA-2011-0008 : VMware vCenter Server and vSphere Client security vulnerabilities