Vulnerabilities > CVE-2012-1516 - Buffer Errors vulnerability in VMWare ESX and Esxi

047910
CVSS 9.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
vmware
CWE-119
critical
nessus

Summary

The VMX process in VMware ESXi 3.5 through 4.1 and ESX 3.5 through 4.1 does not properly handle RPC commands, which allows guest OS users to cause a denial of service (memory overwrite and process crash) or possibly execute arbitrary code on the host OS via vectors involving data pointers.

Vulnerable Configurations

Part Description Count
OS
Vmware
14

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2012-0009.NASL
    descriptiona. VMware host memory overwrite vulnerability (data pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate data pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Configure virtual machines to use less than 4 GB of memory. Virtual machines that have less than 4GB of memory are not affected. OR - Disable VIX messages from each guest VM by editing the configuration file (.vmx) for the virtual machine as described in VMware Knowledge Base article 1714. Add the following line : isolation.tools.vixMessage.disable =
    last seen2020-06-01
    modified2020-06-02
    plugin id58977
    published2012-05-04
    reporterThis script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58977
    titleVMSA-2012-0009 : VMware Workstation, Player, Fusion, ESXi and ESX patches address critical security issues
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from VMware Security Advisory 2012-0009. 
    # The text itself is copyright (C) VMware Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(58977);
      script_version("1.16");
      script_cvs_date("Date: 2018/08/07 11:56:11");
    
      script_cve_id("CVE-2012-1516", "CVE-2012-1517", "CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450");
      script_bugtraq_id(53369, 53371);
      script_xref(name:"VMSA", value:"2012-0009");
    
      script_name(english:"VMSA-2012-0009 : VMware Workstation, Player, Fusion, ESXi and ESX patches address critical security issues");
      script_summary(english:"Checks esxupdate output for the patches");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote VMware ESXi / ESX host is missing one or more
    security-related patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "a. VMware host memory overwrite vulnerability (data pointers)
    
       Due to a flaw in the handler function for RPC commands, it is
       possible to manipulate data pointers within the VMX process.
       This vulnerability may allow a guest user to crash the VMX
       process or potentially execute code on the host.
    
       Workaround
    
       - Configure virtual machines to use less than 4 GB of memory.
         Virtual machines that have less than 4GB of memory are not
         affected.
    
         OR
    
       - Disable VIX messages from each guest VM by editing the
         configuration file (.vmx) for the virtual machine as described
         in VMware Knowledge Base article 1714. Add the following line :
         isolation.tools.vixMessage.disable = 'TRUE'.
         Note: This workaround is not valid for Workstation 7.x and
               Fusion 3.x
    
       Mitigation
    
       - Do not allow untrusted users access to your virtual machines.
         Root or Administrator level permissions are not required to
         exploit this issue.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2012-1516 to this issue.
    
       VMware would like to thank Derek Soeder of Ridgeway Internet
       Security, L.L.C. for reporting this issue to us.
    
    b. VMware host memory overwrite vulnerability (function pointers)
    
       Due to a flaw in the handler function for RPC commands, it is
       possible to manipulate function pointers within the VMX process.
       This vulnerability may allow a guest user to crash the VMX
       process or potentially execute code on the host.
    
       Workaround
    
       - None identified
    
       Mitigation
    
       - Do not allow untrusted users access to your virtual machines.
         Root or Administrator level permissions are not required to
         exploit this issue.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2012-1517 to this issue.
    
       VMware would like to thank Derek Soeder of Ridgeway Internet
       Security, L.L.C. for reporting this issue to us.
    
    c. ESX NFS traffic parsing vulnerability
    
       Due to a flaw in the handling of NFS traffic, it is possible to
       overwrite memory. This vulnerability may allow a user with
       access to the network to execute code on the ESXi/ESX host
       without authentication. The issue is not present in cases where
       there is no NFS traffic.
    
       Workaround
       - None identified
    
       Mitigation
       - Connect only to trusted NFS servers
       - Segregate the NFS network
       - Harden your NFS server
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2012-2448 to this issue.
    
    d. VMware floppy device out-of-bounds memory write
    
       Due to a flaw in the virtual floppy configuration it is possible
       to perform an out-of-bounds memory write. This vulnerability may
       allow a guest user to crash the VMX process or potentially
       execute code on the host.
    
       Workaround
    
       - Remove the virtual floppy drive from the list of virtual IO
         devices. The VMware hardening guides recommend removing unused
         virtual IO devices in general.
    
       Mitigation
    
       - Do not allow untrusted root users in your virtual
         machines. Root or Administrator level permissions are required
         to exploit this issue.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2012-2449 to this issue.
    
    e. VMware SCSI device unchecked memory write
    
       Due to a flaw in the SCSI device registration it is possible to
       perform an unchecked write into memory. This vulnerability may
       allow a guest user to crash the VMX process or potentially
       execute code on the host.
    
       Workaround
    
       - Remove the virtual SCSI controller from the list of virtual IO
         devices. The VMware hardening guides recommend removing unused
         virtual IO devices in general.
    
       Mitigation
    
       - Do not allow untrusted root users access to your virtual
         machines.  Root or Administrator level permissions are
         required to exploit this issue.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2012-2450 to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.vmware.com/pipermail/security-announce/2012/000182.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:3.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"VMware ESX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
      script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("vmware_esx_packages.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
    if (
      !get_kb_item("Host/VMware/esxcli_software_vibs") &&
      !get_kb_item("Host/VMware/esxupdate")
    ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    init_esx_check(date:"2012-05-03");
    flag = 0;
    
    
    if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201205401-SG")) flag++;
    
    if (
      esx_check(
        ver           : "ESX 4.0",
        patch         : "ESX400-201105201-UG",
        patch_updates : make_list("ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.0",
        patch         : "ESX400-201205401-SG",
        patch_updates : make_list("ESX400-201206401-SG", "ESX400-201209401-SG", "ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG")
      )
    ) flag++;
    
    if (
      esx_check(
        ver           : "ESX 4.1",
        patch         : "ESX410-201110201-SG",
        patch_updates : make_list("ESX410-201201401-SG", "ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update02", "ESX410-Update03")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.1",
        patch         : "ESX410-201201401-SG",
        patch_updates : make_list("ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update03")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 4.1",
        patch         : "ESX410-201205401-SG",
        patch_updates : make_list("ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update03")
      )
    ) flag++;
    
    if (esx_check(ver:"ESXi 3.5.0", patch:"ESXe350-201205401-I-SG")) flag++;
    
    if (esx_check(ver:"ESXi 4.0", patch:"ESXi400-201105201-UG")) flag++;
    if (
      esx_check(
        ver           : "ESXi 4.0",
        patch         : "ESXi400-201205401-SG",
        patch_updates : make_list("ESXi400-201206401-SG", "ESXi400-201209401-SG", "ESXi400-201302401-SG", "ESXi400-201305401-SG", "ESXi400-201310401-SG", "ESXi400-201404401-SG")
      )
    ) flag++;
    
    if (
      esx_check(
        ver           : "ESXi 4.1",
        patch         : "ESXi410-201110201-SG",
        patch_updates : make_list("ESXi410-201201401-SG", "ESXi410-201204401-SG", "ESXi410-201205401-SG", "ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update02", "ESXi410-Update03")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESXi 4.1",
        patch         : "ESXi410-201201401-SG",
        patch_updates : make_list("ESXi410-201204401-SG", "ESXi410-201205401-SG", "ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update03")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESXi 4.1",
        patch         : "ESXi410-201205401-SG",
        patch_updates : make_list("ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update03")
      )
    ) flag++;
    
    if (esx_check(ver:"ESXi 5.0", vib:"VMware:esx-base:5.0.0-1.13.702118")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyWindows
    NASL idVMWARE_WORKSTATION_MULTIPLE_VMSA_2012_0009.NASL
    descriptionThe VMware Workstation install detected on the remote host is 7.x earlier than 7.1.6 or 8.0.x earlier than 8.0.3 and is, therefore, potentially affected by the following vulnerabilities : - Memory corruption errors exist related to the RPC commands handler function which could cause the application to crash or possibly allow an attacker to execute arbitrary code. Note that these errors only affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517) - An error in the virtual floppy device configuration can allow out-of-bounds memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges in the guest are required for successful exploitation along with the existence of a virtual floppy device in the guest. (CVE-2012-2449) - An error in the virtual SCSI device registration process can allow improper memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges are required in the guest for successful exploitation along with the existence of a virtual SCSI device in the guest. (CVE-2012-2450)
    last seen2020-06-01
    modified2020-06-02
    plugin id59092
    published2012-05-15
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59092
    titleVMware Workstation Multiple Vulnerabilities (VMSA-2012-0009)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(59092);
      script_version("1.7");
      script_cvs_date("Date: 2019/12/04");
    
      script_cve_id(
        "CVE-2012-1516",
        "CVE-2012-1517",
        "CVE-2012-2449",
        "CVE-2012-2450"
      );
      script_bugtraq_id(53369);
      script_xref(name:"VMSA", value:"2012-0009");
    
      script_name(english:"VMware Workstation Multiple Vulnerabilities (VMSA-2012-0009)");
      script_summary(english:"Checks VMware Workstation version");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host has a virtualization application that is affected by 
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The VMware Workstation install detected on the remote host is 7.x
    earlier than 7.1.6 or 8.0.x earlier than 8.0.3 and is, therefore,
    potentially affected by the following vulnerabilities :
    
      - Memory corruption errors exist related to the
        RPC commands handler function which could cause the
        application to crash or possibly allow an attacker to
        execute arbitrary code. Note that these errors only
        affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517)
    
      - An error in the virtual floppy device configuration
        can allow out-of-bounds memory writes and can allow
        a guest user to crash the VMX process or potentially
        execute arbitrary code on the host. Note that root or
        administrator level privileges in the guest are required
        for successful exploitation along with the existence of
        a virtual floppy device in the guest. (CVE-2012-2449)
    
      - An error in the virtual SCSI device registration
        process can allow improper memory writes and can allow
        a guest user to crash the VMX process or potentially
        execute arbitrary code on the host. Note that root or
        administrator level privileges are required in the
        guest for successful exploitation along with the
        existence of a virtual SCSI device in the guest.
        (CVE-2012-2450)");
      script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html");
      script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000176.html");
      # https://www.vmware.com/support/ws71/doc/releasenotes_ws716.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dd5ac32f");
      # https://www.vmware.com/support/ws80/doc/releasenotes_workstation_803.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0a550479");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to VMware Workstation 7.1.6 / 8.0.3 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_workstation_detect.nasl");
      script_require_keys("SMB/Registry/Enumerated", "VMware/Workstation/Version");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("audit.inc");
    include("misc_func.inc");
    include("smb_func.inc");
    
    
    version = get_kb_item_or_exit("VMware/Workstation/Version");
    
    vulnerable = NULL;
    
    # 7.x
    if (version =~ '^7\\.')
    {
      fix = '7.1.6';
      vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE);
    }
    
    # 8.x
    if (version =~ '^8\\.0')
    {
      fix = '8.0.3';
      vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE);
    }
    
    if (vulnerable < 0)
    {
      port = kb_smb_transport();
    
      if (report_verbosity > 0)
      {
        report += 
          '\n  Installed version : '+version+
          '\n  Fixed version     : ' + fix + '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole();
      exit(0);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, "VMware Workstation", version);
    
  • NASL familyMisc.
    NASL idVMWARE_VMSA-2012-0009_REMOTE.NASL
    descriptionThe remote VMware ESX / ESXi host is affected by multiple vulnerabilities : - Multiple privilege escalation vulnerabilities exist due to improper handling of RPC commands. A local attacker (guest user) can exploit these to manipulate data and function pointers, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-1516, CVE-2012-1517) - A remote code execution vulnerability exists due to improper sanitization of user-supplied input when parsing NFS traffic. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2012-2448) - Multiple privilege escalation vulnerabilities exist due to an error that occurs in virtual floppy devices and SCSI devices. A local attacker (guest user) can exploit these to cause an out-of-bounds write error, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-2449, CVE-2012-2450)
    last seen2020-06-01
    modified2020-06-02
    plugin id89035
    published2016-02-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89035
    titleVMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0009) (remote check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(89035);
      script_version("1.4");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id(
        "CVE-2012-1516",
        "CVE-2012-1517",
        "CVE-2012-2448",
        "CVE-2012-2449",
        "CVE-2012-2450"
      );
      script_bugtraq_id(53369, 53371);
      script_xref(name:"VMSA", value:"2012-0009");
    
      script_name(english:"VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0009) (remote check)");
      script_summary(english:"Checks the ESX / ESXi version and build number.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote VMware ESX / ESXi host is missing a security-related patch.");
      script_set_attribute(attribute:"description", value:
    "The remote VMware ESX / ESXi host is affected by multiple
    vulnerabilities :
    
      - Multiple privilege escalation vulnerabilities exist due
        to improper handling of RPC commands. A local attacker
        (guest user) can exploit these to manipulate data and
        function pointers, resulting in a denial of service
        condition or the execution of arbitrary code on the host
        OS. (CVE-2012-1516, CVE-2012-1517)
    
      - A remote code execution vulnerability exists due to
        improper sanitization of user-supplied input when
        parsing NFS traffic. An unauthenticated, remote attacker
        can exploit this to corrupt memory, resulting in the
        execution of arbitrary code. (CVE-2012-2448)
    
      - Multiple privilege escalation vulnerabilities exist due
        to an error that occurs in virtual floppy devices and
        SCSI devices. A local attacker (guest user) can exploit
        these to cause an out-of-bounds write error, resulting
        in a denial of service condition or the execution of
        arbitrary code on the host OS. (CVE-2012-2449,
        CVE-2012-2450)");
      script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the vendor advisory that
    pertains to ESX version 3.5 / 4.0 / 4.1 or ESXi version 3.5 / 4.0 /
    4.1 / 5.0.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/02/29");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_vsphere_detect.nbin");
      script_require_keys("Host/VMware/version", "Host/VMware/release");
      script_require_ports("Host/VMware/vsphere");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    version = get_kb_item_or_exit("Host/VMware/version");
    release = get_kb_item_or_exit("Host/VMware/release");
    port    = get_kb_item_or_exit("Host/VMware/vsphere");
    
    # Version + build map
    # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014508
    fixes = make_array();
    # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2019536
    fixes["ESX 3.5"]  = 702112;
    # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2019538
    fixes["ESXi 3.5"] = 702112;
    fixes["ESX 4.0"]  = 702116;
    fixes["ESXi 4.0"] = 702116;
    fixes["ESX 4.1"]  = 702113;
    fixes["ESXi 4.1"] = 702113;
    fixes["ESXi 5.0"] = 702118;
    
    matches = eregmatch(pattern:'^VMware (ESXi?).*build-([0-9]+)$', string:release);
    if (empty_or_null(matches))
      exit(1, 'Failed to extract the ESX / ESXi build number.');
    
    type  = matches[1];
    build = int(matches[2]);
    
    fixed_build = fixes[version];
    
    if (!isnull(fixed_build) && build < fixed_build)
    {
      padding = crap(data:" ", length:8 - strlen(type)); # Spacing alignment
     
      report = '\n  ' + type + ' version' + padding + ': ' + version +
               '\n  Installed build : ' + build +
               '\n  Fixed build     : ' + fixed_build +
               '\n';
    
      security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);
    }
    else
      audit(AUDIT_INST_VER_NOT_VULN, "VMware " + version + " build " + build);
    
  • NASL familyGain a shell remotely
    NASL idVMWARE_ESX_NFS_RCE.NASL
    descriptionThe remote VMware ESX/ESXi host is affected by the following security vulnerabilities : - ESX NFS traffic parsing vulnerability: Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. (CVE-2012-2448) - VMware floppy device out-of-bounds memory write: Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2449) - VMware SCSI device unchecked memory write: Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2450)
    last seen2020-06-01
    modified2020-06-02
    plugin id59447
    published2012-06-11
    reporterThis script is (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59447
    titleVMSA-2012-0009 : ESXi and ESX patches address critical security issues (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text of this plugin is (C) VMware Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(59447);
      script_version("1.6");
      script_cvs_date("Date: 2019/12/04");
    
      script_cve_id("CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450");
      script_xref(name:"VMSA", value:"2012-0009");
    
      script_name(english:"VMSA-2012-0009 : ESXi and ESX patches address critical security issues (uncredentialed check)");
      script_summary(english:"Checks ESX/ESXi version and build number");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote VMware ESX/ESXi host is affected by multiple security
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote VMware ESX/ESXi host is affected by the following security
    vulnerabilities :
    
      - ESX NFS traffic parsing vulnerability:
        Due to a flaw in the handling of NFS traffic, it is
        possible to overwrite memory. This vulnerability may
        allow a user with access to the network to execute code
        on the ESXi/ESX host without authentication. The issue
        is not present in cases where there is no NFS traffic.
        (CVE-2012-2448)
    
      - VMware floppy device out-of-bounds memory write:
        Due to a flaw in the virtual floppy configuration it is
        possible to perform an out-of-bounds memory write. This
        vulnerability may allow a guest user to crash the VMX
        process or potentially execute code on the host. As a
        workaround, remove the virtual floppy drive from the
        list of virtual IO devices. The VMware hardening guides
        recommend removing unused virtual IO devices in general.
        Additionally, do not allow untrusted root users in your
        virtual machines. Root or Administrator level
        permissions are required to exploit this issue.
        (CVE-2012-2449)
    
      - VMware SCSI device unchecked memory write:
        Due to a flaw in the SCSI device registration it is
        possible to perform an unchecked write into memory.
        This vulnerability may allow a guest user to crash the
        VMX process or potentially execute code on the host. As
        a workaround, remove the virtual SCSI controller from
        the list of virtual IO devices. The VMware hardening
        guides recommend removing unused virtual IO devices in
        general. Additionally, do not allow untrusted root users
        access to your virtual machines. Root or Administrator
        level permissions are required to exploit this issue.
        (CVE-2012-2450)");
      script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html");
      script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000175.html");
      script_set_attribute(attribute:"solution", value:
    "Apply the missing patches.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/11");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Gain a shell remotely");
    
      script_copyright(english:"This script is (C) 2012-2019 Tenable Network Security, Inc.");
    
      script_dependencies("vmware_vsphere_detect.nbin");
      script_require_keys("Host/VMware/version", "Host/VMware/release");
    
      exit(0);
    }
    
    include('audit.inc');
    include("global_settings.inc");
    include('misc_func.inc');
    
    # build number of the patched system
    fix = make_array(
      "ESXi 5.0", 702118,
      "ESXi 4.1", 702113,
      "ESXi 4.0", 702116,
      "ESXi 3.5.0", 702112, # also fixes CVE-2012-1516
      "ESX 4.1",  702113,
      "ESX 4.0",  702116,
      "ESX 3.5.0",  702112);# also fixes CVE-2012-1516
    
    ver = get_kb_item_or_exit("Host/VMware/version");
    rel = get_kb_item_or_exit("Host/VMware/release");
    
    # extract build number
    match = eregmatch(pattern:'^VMware ESXi?.*build-([0-9]+)$', string: rel);
    if(isnull(match)) exit(1, 'Cannot determine ESX/ESXi build number.');
    
    build = match[1];
    
    if(build < fix[ver])
    {
      if (report_verbosity > 0)
      {
        if ("ESXi" >< rel)
        {
          line1 = "ESXi version";
          line2 = "ESXi release";
        }
        else
        {
          line1 = "ESX version ";
          line2 = "ESX release ";
        }
    
        report = '\n  ' + line1 + '      : ' + ver +
                 '\n  ' + line2 + '      : ' + rel +
                 '\n  Installed build   : ' + build +
                 '\n  Fixed build       : ' + fix[ver] +
                 '\n';
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyWindows
    NASL idVMWARE_PLAYER_MULTIPLE_VMSA_2012_0009.NASL
    descriptionThe VMware Player install detected on the remote host is 3.x earlier than 3.1.6, or 4.0.x earlier than 4.0.3 and is, therefore, potentially affected by the following vulnerabilities : - Memory corruption errors exist related to the RPC commands handler function which could cause the application to crash or possibly allow an attacker to execute arbitrary code. Note that these errors only affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517) - An error in the virtual floppy device configuration can allow out-of-bounds memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges in the guest are required for successful exploitation along with the existence of a virtual floppy device in the guest. (CVE-2012-2449) - An error in the virtual SCSI device registration process can allow improper memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges are required in the guest for successful exploitation along with the existence of a virtual SCSI device in the guest. (CVE-2012-2450)
    last seen2020-06-01
    modified2020-06-02
    plugin id59091
    published2012-05-15
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59091
    titleVMware Player Multiple Vulnerabilities (VMSA-2012-0009)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(59091);
      script_version("1.6");
      script_cvs_date("Date: 2019/12/04");
    
      script_cve_id(
        "CVE-2012-1516",
        "CVE-2012-1517",
        "CVE-2012-2449",
        "CVE-2012-2450"
      );
      script_bugtraq_id(53369);
      script_xref(name:"VMSA", value:"2012-0009");
    
      script_name(english:"VMware Player Multiple Vulnerabilities (VMSA-2012-0009)");
      script_summary(english:"Checks VMware Player version");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host has a virtualization application affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The VMware Player install detected on the remote host is 3.x earlier
    than 3.1.6, or 4.0.x earlier than 4.0.3 and is, therefore,  potentially
    affected by the following vulnerabilities :
    
      - Memory corruption errors exist related to the
        RPC commands handler function which could cause the
        application to crash or possibly allow an attacker to
        execute arbitrary code. Note that these errors only
        affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517)
    
      - An error in the virtual floppy device configuration
        can allow out-of-bounds memory writes and can allow
        a guest user to crash the VMX process or potentially
        execute arbitrary code on the host. Note that root or
        administrator level privileges in the guest are required
        for successful exploitation along with the existence of
        a virtual floppy device in the guest. (CVE-2012-2449)
    
      - An error in the virtual SCSI device registration
        process can allow improper memory writes and can allow
        a guest user to crash the VMX process or potentially
        execute arbitrary code on the host. Note that root or
        administrator level privileges are required in the
        guest for successful exploitation along with the
        existence of a virtual SCSI device in the guest.
        (CVE-2012-2450)");
      script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html");
      script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000176.html");
      # https://www.vmware.com/support/player31/doc/releasenotes_player316.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?acb1cf3a");
      # https://www.vmware.com/support/player40/doc/releasenotes_player403.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?258456c3");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to VMware Player 3.1.6 / 4.0.3 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/15");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:player");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_player_detect.nasl");
      script_require_keys("SMB/Registry/Enumerated", "VMware/Player/Version");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("audit.inc");
    include("misc_func.inc");
    include("smb_func.inc");
    
    
    version = get_kb_item_or_exit("VMware/Player/Version");
    
    vulnerable = NULL;
    
    if (version =~ '^3\\.')
    {
      fix = '3.1.6';
      vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE);
    }
    
    if (version =~ '^4\\.0')
    {
      fix = '4.0.3';
      vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE);
    }
    
    if (vulnerable < 0)
    {
      port = kb_smb_transport();
    
      if (report_verbosity > 0)
      {
        report =
          '\n  Installed version : '+version+
          '\n  Fixed version     : ' + fix + '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole();
    }
    else audit(AUDIT_INST_VER_NOT_VULN, "VMware Player", version);
    

Oval

accepted2013-07-29T04:00:50.302-04:00
classvulnerability
contributors
nameMaria Kedovskaya
organizationALTX-SOFT
definition_extensions
  • commentVMware Workstation is installed
    ovaloval:org.mitre.oval:def:16277
  • commentVMware Player is installed
    ovaloval:org.mitre.oval:def:17194
descriptionThe VMX process in VMware ESXi 3.5 through 4.1 and ESX 3.5 through 4.1 does not properly handle RPC commands, which allows guest OS users to cause a denial of service (memory overwrite and process crash) or possibly execute arbitrary code on the host OS via vectors involving data pointers.
familywindows
idoval:org.mitre.oval:def:16810
statusaccepted
submitted2013-06-20T10:26:26.748+04:00
titleVMware host memory overwrite vulnerability (data pointers)
version6

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/112479/vmware-backdoor.txt
idPACKETSTORM:112479
last seen2016-12-05
published2012-05-06
reporterDerek Soeder
sourcehttps://packetstormsecurity.com/files/112479/VMware-Backdoor-Response-Uninitialized-Memory-Potential-VM-Break.html
titleVMware Backdoor Response Uninitialized Memory Potential VM Break