Vulnerabilities > CVE-2011-2146 - Information Exposure vulnerability in VMWare products

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
local
low complexity
vmware
CWE-200
nessus

Summary

mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1 allows guest OS users to determine the existence of host OS files and directories via unspecified vectors.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyWindows
    NASL idVMWARE_MULTIPLE_VMSA_2011_0009.NASL
    descriptionA VMware product (Player or Workstation) detected on the remote host has multiple vulnerabilities in the Host Guest File System : - An attacker with access to a Guest operating system can determine if a path exists in the Host filesystem and whether it
    last seen2020-06-01
    modified2020-06-02
    plugin id54996
    published2011-06-08
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/54996
    titleVMware Products Multiple Vulnerabilities (VMSA-2011-0009)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(54996);
      script_version("1.10");
      script_cvs_date("Date: 2019/09/24 15:02:54");
    
      script_cve_id("CVE-2011-1787", "CVE-2011-2145", "CVE-2011-2146");
      script_bugtraq_id(48098);
      script_xref(name:"VMSA", value:"2011-0009");
    
      script_name(english:"VMware Products Multiple Vulnerabilities (VMSA-2011-0009)");
      script_summary(english:"Checks vulnerable versions of VMware products");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host has a virtualization application affected by multiple
    vulnerabilities."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "A VMware product (Player or Workstation) detected on the remote host
    has multiple vulnerabilities in the Host Guest File System :
    
      - An attacker with access to a Guest operating system can
        determine if a path exists in the Host filesystem and
        whether it's a file or a directory regardless of
        permissions. (CVE-2011-2146)
    
      - A race condition in mount.vmhgfs may allow an attacker
        with access to a Guest to mount on arbitrary directories
        in the Guest filesystem and escalate their privileges if
        they can control the contents of the mounted directory.
        (CVE-2011-1787)
    
      - A procedural error allows an attacker with access to a
        Solaris or FreeBSD Guest operating system to gain write
        access to an arbitrary file in the Guest filesystem.
        (CVE-2011-2145)
    
    These vulnerabilities only affect non-Windows guest operating systems."
      );
      script_set_attribute(attribute:"see_also",value:"http://www.vmware.com/security/advisories/VMSA-2011-0009.html");
      script_set_attribute(attribute:"see_also",value:"http://lists.vmware.com/pipermail/security-announce/2011/000141.html");
      script_set_attribute(
        attribute:"solution",
        value:
    "Upgrade to :
    
      - VMware Workstation 7.1.4 or later.
      - VMware Player 3.1.4 or later.
    
    In addition to patching, VMware Tools must be updated on all non-
    Windows guest VMs in order to completely mitigate certain
    vulnerabilities.  Refer to the VMware advisory for more information."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date",value:"2011/06/02");
      script_set_attribute(attribute:"patch_publication_date",value:"2011/06/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/08");
    
      script_set_attribute(attribute:"plugin_type",value:"local");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:workstation");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:player");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");
    
      script_dependencies("vmware_workstation_detect.nasl", "vmware_player_detect.nasl");
      script_require_keys("SMB/Registry/Enumerated");
      script_require_ports("VMware/Workstation/Version", "VMware/Player/Version");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("smb_func.inc");
    
    
    port = kb_smb_transport();
    report = "";
    
    # Check for VMware Workstation
    version = get_kb_item("VMware/Workstation/Version");
    if (version)
    {
      fix = '7.1.4';
    
      if (version =~ '^7\\.1' && ver_compare(ver:version, fix:fix, strict:FALSE) == -1)
      {
        report += 
          '\n  Product           : VMware Workstation'+
          '\n  Installed version : '+version+
          '\n  Fixed version     : ' + fix + '\n';
      }
    }
    
    # Check for VMware Player
    version = get_kb_item("VMware/Player/Version");
    if (version)
    {
      fix = '3.1.4';
    
      if (version =~ '^3\\.1' && ver_compare(ver:version, fix:fix, strict:FALSE) == -1)
      {
        report +=
          '\n  Product           : VMware Player'+
          '\n  Installed version : '+version+
          '\n  Fixed version     : ' + fix + '\n';
      }
    }
    
    if (!report) exit(0, "The host is not affected.");
    
    if (report_verbosity > 0)
      security_hole(port:port, extra:report);
    else
      security_hole();
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_4_LIBVMTOOLS-DEVEL-110608.NASL
    descriptionThis update of open-vm-tools fixes the following vulnerabilities which allowed an attacker to gain root privileges within the guest system : - CVE-2011-1681 - CVE-2011-2146 - CVE-2011-1787 - CVE-2011-2145
    last seen2020-06-01
    modified2020-06-02
    plugin id75932
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75932
    titleopenSUSE Security Update : libvmtools-devel (openSUSE-SU-2011:0617-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update libvmtools-devel-4693.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(75932);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/25 13:36:42");
    
      script_cve_id("CVE-2011-1681", "CVE-2011-1787", "CVE-2011-2145", "CVE-2011-2146");
    
      script_name(english:"openSUSE Security Update : libvmtools-devel (openSUSE-SU-2011:0617-1)");
      script_summary(english:"Check for the libvmtools-devel-4693 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of open-vm-tools fixes the following vulnerabilities which
    allowed an attacker to gain root privileges within the guest system :
    
      - CVE-2011-1681
    
      - CVE-2011-2146
    
      - CVE-2011-1787
    
      - CVE-2011-2145"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=673267"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=690491"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2011-06/msg00018.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libvmtools-devel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvmtools-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvmtools0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvmtools0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-gui");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-gui-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-default-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-desktop");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-desktop-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-pae-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/06/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.4", reference:"libvmtools-devel-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"libvmtools0-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"libvmtools0-debuginfo-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-debuginfo-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-debugsource-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-gui-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-gui-debuginfo-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-default-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-default-debuginfo-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-desktop-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-desktop-debuginfo-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-pae-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-pae-debuginfo-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "open-vm-tools");
    }
    
  • NASL familyMisc.
    NASL idVMWARE_VMSA-2011-0009_REMOTE.NASL
    descriptionThe remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Linux Kernel in the do_anonymous_page() function due to improper separation of the stack and the heap. An attacker can exploit this to execute arbitrary code. (CVE-2010-2240) - A packet filter bypass exists in the Linux Kernel e1000 driver due to processing trailing payload data as a complete frame. A remote attacker can exploit this to bypass packet filters via a large packet with a crafted payload. (CVE-2009-4536) - A use-after-free error exists in the Linux Kernel when IPV6_RECVPKTINFO is set on a listening socket. A remote attacker can exploit this, via a SYN packet while the socket is in a listening (TCP_LISTEN) state, to cause a kernel panic, resulting in a denial of service condition. (CVE-2010-1188) - An array index error exists in the Linux Kernel in the gdth_read_event() function. A local attacker can exploit this, via a negative event index in an IOCTL request, to cause a denial of service condition. (CVE-2009-3080) - A race condition exists in the VMware Host Guest File System (HGFS) that allows guest operating system users to gain privileges by mounting a filesystem on top of an arbitrary directory. (CVE-2011-1787) - A flaw exists in the VMware Host Guest File System (HGFS) that allows a Solaris or FreeBSD guest operating system user to modify arbitrary guest operating system files. (CVE-2011-2145) - A flaw exists in the VMware Host Guest File System (HGFS) that allows guest operating system users to disclose host operating system files and directories. (CVE-2011-2146) - A flaw exists in the bundled Tom Sawyer GET Extension Factory that allows a remote attacker to cause a denial of service condition or the execution of arbitrary code via a crafted HTML document. (CVE-2011-2217)
    last seen2020-06-01
    modified2020-06-02
    plugin id89678
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89678
    titleVMware ESX / ESXi Multiple Vulnerabilities (VMSA-2011-0009) (remote check)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_LIBVMTOOLS-DEVEL-110607.NASL
    descriptionThis update of open-vm-tools fixes the following vulnerabilities which allowed an attacker to gain root privileges within the guest system : - CVE-2011-1681 - CVE-2011-2146 - CVE-2011-1787 - CVE-2011-2145
    last seen2020-06-01
    modified2020-06-02
    plugin id75626
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75626
    titleopenSUSE Security Update : libvmtools-devel (openSUSE-SU-2011:0617-1)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2011-0009.NASL
    descriptiona. VMware vmkernel third-party e1000(e) Driver Packet Filter Bypass There is an issue in the e1000(e) Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. b. ESX third-party update for Service Console kernel This update for the console OS kernel package resolves four security issues. 1) IPv4 Remote Denial of Service An remote attacker can achieve a denial of service via an issue in the kernel IPv4 code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1188 to this issue. 2) SCSI Driver Denial of Service / Possible Privilege Escalation A local attacker can achieve a denial of service and possibly a privilege escalation via a vulnerability in the Linux SCSI drivers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3080 to this issue. 3) Kernel Memory Management Arbitrary Code Execution A context-dependent attacker can execute arbitrary code via a vulnerability in a kernel memory handling function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2240 to this issue. 4) e1000 Driver Packet Filter Bypass There is an issue in the Service Console e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. c. Multiple vulnerabilities in mount.vmhgfs This patch provides a fix for the following three security issues in the VMware Host Guest File System (HGFS). None of these issues affect Windows based Guest Operating Systems. 1) Mount.vmhgfs Information Disclosure Information disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2146 to this issue. 2) Mount.vmhgfs Race Condition Privilege escalation via a race condition that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1787 to this issue. 3) Mount.vmhgfs Privilege Escalation Privilege escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2145 to this issue. VMware would like to thank Dan Rosenberg for reporting these issues. d. VI Client ActiveX vulnerabilities VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user
    last seen2020-06-01
    modified2020-06-02
    plugin id54968
    published2011-06-06
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/54968
    titleVMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FUSION_3_1_3.NASL
    descriptionThe version of VMware Fusion installed on the Mac OS X host is earlier than 3.1.3. As such, it is reportedly affected by the following three security vulnerabilities : - An attacker with access to a Guest operating system can determine if a path exists in the Host filesystem and whether it
    last seen2020-06-01
    modified2020-06-02
    plugin id54974
    published2011-06-06
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/54974
    titleVMware Fusion < 3.1.3 (VMSA-2011-0009 / VMSA-2011-0011)