Vulnerabilities > CVE-2012-1516 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in VMWare ESX and Esxi
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The VMX process in VMware ESXi 3.5 through 4.1 and ESX 3.5 through 4.1 does not properly handle RPC commands, which allows guest OS users to cause a denial of service (memory overwrite and process crash) or possibly execute arbitrary code on the host OS via vectors involving data pointers.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 14 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2012-0009.NASL description a. VMware host memory overwrite vulnerability (data pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate data pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Configure virtual machines to use less than 4 GB of memory. Virtual machines that have less than 4GB of memory are not affected. OR - Disable VIX messages from each guest VM by editing the configuration file (.vmx) for the virtual machine as described in VMware Knowledge Base article 1714. Add the following line : isolation.tools.vixMessage.disable = last seen 2020-06-01 modified 2020-06-02 plugin id 58977 published 2012-05-04 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58977 title VMSA-2012-0009 : VMware Workstation, Player, Fusion, ESXi and ESX patches address critical security issues code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2012-0009. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(58977); script_version("1.16"); script_cvs_date("Date: 2018/08/07 11:56:11"); script_cve_id("CVE-2012-1516", "CVE-2012-1517", "CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450"); script_bugtraq_id(53369, 53371); script_xref(name:"VMSA", value:"2012-0009"); script_name(english:"VMSA-2012-0009 : VMware Workstation, Player, Fusion, ESXi and ESX patches address critical security issues"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESXi / ESX host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. VMware host memory overwrite vulnerability (data pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate data pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Configure virtual machines to use less than 4 GB of memory. Virtual machines that have less than 4GB of memory are not affected. OR - Disable VIX messages from each guest VM by editing the configuration file (.vmx) for the virtual machine as described in VMware Knowledge Base article 1714. Add the following line : isolation.tools.vixMessage.disable = 'TRUE'. Note: This workaround is not valid for Workstation 7.x and Fusion 3.x Mitigation - Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1516 to this issue. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. b. VMware host memory overwrite vulnerability (function pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate function pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - None identified Mitigation - Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1517 to this issue. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. c. ESX NFS traffic parsing vulnerability Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. Workaround - None identified Mitigation - Connect only to trusted NFS servers - Segregate the NFS network - Harden your NFS server The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2448 to this issue. d. VMware floppy device out-of-bounds memory write Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Mitigation - Do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2449 to this issue. e. VMware SCSI device unchecked memory write Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Mitigation - Do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2450 to this issue." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000182.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:3.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2012-05-03"); flag = 0; if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201205401-SG")) flag++; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-201105201-UG", patch_updates : make_list("ESX400-Update03", "ESX400-Update04") ) ) flag++; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-201205401-SG", patch_updates : make_list("ESX400-201206401-SG", "ESX400-201209401-SG", "ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201110201-SG", patch_updates : make_list("ESX410-201201401-SG", "ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update02", "ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201201401-SG", patch_updates : make_list("ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201205401-SG", patch_updates : make_list("ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update03") ) ) flag++; if (esx_check(ver:"ESXi 3.5.0", patch:"ESXe350-201205401-I-SG")) flag++; if (esx_check(ver:"ESXi 4.0", patch:"ESXi400-201105201-UG")) flag++; if ( esx_check( ver : "ESXi 4.0", patch : "ESXi400-201205401-SG", patch_updates : make_list("ESXi400-201206401-SG", "ESXi400-201209401-SG", "ESXi400-201302401-SG", "ESXi400-201305401-SG", "ESXi400-201310401-SG", "ESXi400-201404401-SG") ) ) flag++; if ( esx_check( ver : "ESXi 4.1", patch : "ESXi410-201110201-SG", patch_updates : make_list("ESXi410-201201401-SG", "ESXi410-201204401-SG", "ESXi410-201205401-SG", "ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update02", "ESXi410-Update03") ) ) flag++; if ( esx_check( ver : "ESXi 4.1", patch : "ESXi410-201201401-SG", patch_updates : make_list("ESXi410-201204401-SG", "ESXi410-201205401-SG", "ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update03") ) ) flag++; if ( esx_check( ver : "ESXi 4.1", patch : "ESXi410-201205401-SG", patch_updates : make_list("ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update03") ) ) flag++; if (esx_check(ver:"ESXi 5.0", vib:"VMware:esx-base:5.0.0-1.13.702118")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Windows NASL id VMWARE_WORKSTATION_MULTIPLE_VMSA_2012_0009.NASL description The VMware Workstation install detected on the remote host is 7.x earlier than 7.1.6 or 8.0.x earlier than 8.0.3 and is, therefore, potentially affected by the following vulnerabilities : - Memory corruption errors exist related to the RPC commands handler function which could cause the application to crash or possibly allow an attacker to execute arbitrary code. Note that these errors only affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517) - An error in the virtual floppy device configuration can allow out-of-bounds memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges in the guest are required for successful exploitation along with the existence of a virtual floppy device in the guest. (CVE-2012-2449) - An error in the virtual SCSI device registration process can allow improper memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges are required in the guest for successful exploitation along with the existence of a virtual SCSI device in the guest. (CVE-2012-2450) last seen 2020-06-01 modified 2020-06-02 plugin id 59092 published 2012-05-15 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59092 title VMware Workstation Multiple Vulnerabilities (VMSA-2012-0009) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(59092); script_version("1.7"); script_cvs_date("Date: 2019/12/04"); script_cve_id( "CVE-2012-1516", "CVE-2012-1517", "CVE-2012-2449", "CVE-2012-2450" ); script_bugtraq_id(53369); script_xref(name:"VMSA", value:"2012-0009"); script_name(english:"VMware Workstation Multiple Vulnerabilities (VMSA-2012-0009)"); script_summary(english:"Checks VMware Workstation version"); script_set_attribute(attribute:"synopsis", value: "The remote host has a virtualization application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The VMware Workstation install detected on the remote host is 7.x earlier than 7.1.6 or 8.0.x earlier than 8.0.3 and is, therefore, potentially affected by the following vulnerabilities : - Memory corruption errors exist related to the RPC commands handler function which could cause the application to crash or possibly allow an attacker to execute arbitrary code. Note that these errors only affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517) - An error in the virtual floppy device configuration can allow out-of-bounds memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges in the guest are required for successful exploitation along with the existence of a virtual floppy device in the guest. (CVE-2012-2449) - An error in the virtual SCSI device registration process can allow improper memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges are required in the guest for successful exploitation along with the existence of a virtual SCSI device in the guest. (CVE-2012-2450)"); script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html"); script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000176.html"); # https://www.vmware.com/support/ws71/doc/releasenotes_ws716.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dd5ac32f"); # https://www.vmware.com/support/ws80/doc/releasenotes_workstation_803.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0a550479"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Workstation 7.1.6 / 8.0.3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/03"); script_set_attribute(attribute:"patch_publication_date", value:"2011/06/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_workstation_detect.nasl"); script_require_keys("SMB/Registry/Enumerated", "VMware/Workstation/Version"); exit(0); } include("global_settings.inc"); include("audit.inc"); include("misc_func.inc"); include("smb_func.inc"); version = get_kb_item_or_exit("VMware/Workstation/Version"); vulnerable = NULL; # 7.x if (version =~ '^7\\.') { fix = '7.1.6'; vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE); } # 8.x if (version =~ '^8\\.0') { fix = '8.0.3'; vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE); } if (vulnerable < 0) { port = kb_smb_transport(); if (report_verbosity > 0) { report += '\n Installed version : '+version+ '\n Fixed version : ' + fix + '\n'; security_hole(port:port, extra:report); } else security_hole(); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware Workstation", version);
NASL family Misc. NASL id VMWARE_VMSA-2012-0009_REMOTE.NASL description The remote VMware ESX / ESXi host is affected by multiple vulnerabilities : - Multiple privilege escalation vulnerabilities exist due to improper handling of RPC commands. A local attacker (guest user) can exploit these to manipulate data and function pointers, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-1516, CVE-2012-1517) - A remote code execution vulnerability exists due to improper sanitization of user-supplied input when parsing NFS traffic. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2012-2448) - Multiple privilege escalation vulnerabilities exist due to an error that occurs in virtual floppy devices and SCSI devices. A local attacker (guest user) can exploit these to cause an out-of-bounds write error, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-2449, CVE-2012-2450) last seen 2020-06-01 modified 2020-06-02 plugin id 89035 published 2016-02-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89035 title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0009) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(89035); script_version("1.4"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2012-1516", "CVE-2012-1517", "CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450" ); script_bugtraq_id(53369, 53371); script_xref(name:"VMSA", value:"2012-0009"); script_name(english:"VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0009) (remote check)"); script_summary(english:"Checks the ESX / ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESX / ESXi host is missing a security-related patch."); script_set_attribute(attribute:"description", value: "The remote VMware ESX / ESXi host is affected by multiple vulnerabilities : - Multiple privilege escalation vulnerabilities exist due to improper handling of RPC commands. A local attacker (guest user) can exploit these to manipulate data and function pointers, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-1516, CVE-2012-1517) - A remote code execution vulnerability exists due to improper sanitization of user-supplied input when parsing NFS traffic. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2012-2448) - Multiple privilege escalation vulnerabilities exist due to an error that occurs in virtual floppy devices and SCSI devices. A local attacker (guest user) can exploit these to cause an out-of-bounds write error, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-2449, CVE-2012-2450)"); script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the vendor advisory that pertains to ESX version 3.5 / 4.0 / 4.1 or ESXi version 3.5 / 4.0 / 4.1 / 5.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/03"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/02/29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); script_require_ports("Host/VMware/vsphere"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("Host/VMware/version"); release = get_kb_item_or_exit("Host/VMware/release"); port = get_kb_item_or_exit("Host/VMware/vsphere"); # Version + build map # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014508 fixes = make_array(); # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2019536 fixes["ESX 3.5"] = 702112; # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2019538 fixes["ESXi 3.5"] = 702112; fixes["ESX 4.0"] = 702116; fixes["ESXi 4.0"] = 702116; fixes["ESX 4.1"] = 702113; fixes["ESXi 4.1"] = 702113; fixes["ESXi 5.0"] = 702118; matches = eregmatch(pattern:'^VMware (ESXi?).*build-([0-9]+)$', string:release); if (empty_or_null(matches)) exit(1, 'Failed to extract the ESX / ESXi build number.'); type = matches[1]; build = int(matches[2]); fixed_build = fixes[version]; if (!isnull(fixed_build) && build < fixed_build) { padding = crap(data:" ", length:8 - strlen(type)); # Spacing alignment report = '\n ' + type + ' version' + padding + ': ' + version + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(extra:report, port:port, severity:SECURITY_HOLE); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware " + version + " build " + build);
NASL family Gain a shell remotely NASL id VMWARE_ESX_NFS_RCE.NASL description The remote VMware ESX/ESXi host is affected by the following security vulnerabilities : - ESX NFS traffic parsing vulnerability: Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. (CVE-2012-2448) - VMware floppy device out-of-bounds memory write: Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2449) - VMware SCSI device unchecked memory write: Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2450) last seen 2020-06-01 modified 2020-06-02 plugin id 59447 published 2012-06-11 reporter This script is (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59447 title VMSA-2012-0009 : ESXi and ESX patches address critical security issues (uncredentialed check) code # # (C) Tenable Network Security, Inc. # # The text of this plugin is (C) VMware Inc. # include("compat.inc"); if (description) { script_id(59447); script_version("1.6"); script_cvs_date("Date: 2019/12/04"); script_cve_id("CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450"); script_xref(name:"VMSA", value:"2012-0009"); script_name(english:"VMSA-2012-0009 : ESXi and ESX patches address critical security issues (uncredentialed check)"); script_summary(english:"Checks ESX/ESXi version and build number"); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESX/ESXi host is affected by multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote VMware ESX/ESXi host is affected by the following security vulnerabilities : - ESX NFS traffic parsing vulnerability: Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. (CVE-2012-2448) - VMware floppy device out-of-bounds memory write: Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2449) - VMware SCSI device unchecked memory write: Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2450)"); script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html"); script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000175.html"); script_set_attribute(attribute:"solution", value: "Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is (C) 2012-2019 Tenable Network Security, Inc."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); exit(0); } include('audit.inc'); include("global_settings.inc"); include('misc_func.inc'); # build number of the patched system fix = make_array( "ESXi 5.0", 702118, "ESXi 4.1", 702113, "ESXi 4.0", 702116, "ESXi 3.5.0", 702112, # also fixes CVE-2012-1516 "ESX 4.1", 702113, "ESX 4.0", 702116, "ESX 3.5.0", 702112);# also fixes CVE-2012-1516 ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); # extract build number match = eregmatch(pattern:'^VMware ESXi?.*build-([0-9]+)$', string: rel); if(isnull(match)) exit(1, 'Cannot determine ESX/ESXi build number.'); build = match[1]; if(build < fix[ver]) { if (report_verbosity > 0) { if ("ESXi" >< rel) { line1 = "ESXi version"; line2 = "ESXi release"; } else { line1 = "ESX version "; line2 = "ESX release "; } report = '\n ' + line1 + ' : ' + ver + '\n ' + line2 + ' : ' + rel + '\n Installed build : ' + build + '\n Fixed build : ' + fix[ver] + '\n'; security_hole(port:0, extra:report); } else security_hole(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Windows NASL id VMWARE_PLAYER_MULTIPLE_VMSA_2012_0009.NASL description The VMware Player install detected on the remote host is 3.x earlier than 3.1.6, or 4.0.x earlier than 4.0.3 and is, therefore, potentially affected by the following vulnerabilities : - Memory corruption errors exist related to the RPC commands handler function which could cause the application to crash or possibly allow an attacker to execute arbitrary code. Note that these errors only affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517) - An error in the virtual floppy device configuration can allow out-of-bounds memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges in the guest are required for successful exploitation along with the existence of a virtual floppy device in the guest. (CVE-2012-2449) - An error in the virtual SCSI device registration process can allow improper memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges are required in the guest for successful exploitation along with the existence of a virtual SCSI device in the guest. (CVE-2012-2450) last seen 2020-06-01 modified 2020-06-02 plugin id 59091 published 2012-05-15 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59091 title VMware Player Multiple Vulnerabilities (VMSA-2012-0009) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(59091); script_version("1.6"); script_cvs_date("Date: 2019/12/04"); script_cve_id( "CVE-2012-1516", "CVE-2012-1517", "CVE-2012-2449", "CVE-2012-2450" ); script_bugtraq_id(53369); script_xref(name:"VMSA", value:"2012-0009"); script_name(english:"VMware Player Multiple Vulnerabilities (VMSA-2012-0009)"); script_summary(english:"Checks VMware Player version"); script_set_attribute(attribute:"synopsis", value: "The remote host has a virtualization application affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The VMware Player install detected on the remote host is 3.x earlier than 3.1.6, or 4.0.x earlier than 4.0.3 and is, therefore, potentially affected by the following vulnerabilities : - Memory corruption errors exist related to the RPC commands handler function which could cause the application to crash or possibly allow an attacker to execute arbitrary code. Note that these errors only affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517) - An error in the virtual floppy device configuration can allow out-of-bounds memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges in the guest are required for successful exploitation along with the existence of a virtual floppy device in the guest. (CVE-2012-2449) - An error in the virtual SCSI device registration process can allow improper memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges are required in the guest for successful exploitation along with the existence of a virtual SCSI device in the guest. (CVE-2012-2450)"); script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html"); script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000176.html"); # https://www.vmware.com/support/player31/doc/releasenotes_player316.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?acb1cf3a"); # https://www.vmware.com/support/player40/doc/releasenotes_player403.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?258456c3"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Player 3.1.6 / 4.0.3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/03"); script_set_attribute(attribute:"patch_publication_date", value:"2011/06/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:player"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_player_detect.nasl"); script_require_keys("SMB/Registry/Enumerated", "VMware/Player/Version"); exit(0); } include("global_settings.inc"); include("audit.inc"); include("misc_func.inc"); include("smb_func.inc"); version = get_kb_item_or_exit("VMware/Player/Version"); vulnerable = NULL; if (version =~ '^3\\.') { fix = '3.1.6'; vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE); } if (version =~ '^4\\.0') { fix = '4.0.3'; vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE); } if (vulnerable < 0) { port = kb_smb_transport(); if (report_verbosity > 0) { report = '\n Installed version : '+version+ '\n Fixed version : ' + fix + '\n'; security_hole(port:port, extra:report); } else security_hole(); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware Player", version);
Oval
accepted | 2013-07-29T04:00:50.302-04:00 | ||||||||
class | vulnerability | ||||||||
contributors |
| ||||||||
definition_extensions |
| ||||||||
description | The VMX process in VMware ESXi 3.5 through 4.1 and ESX 3.5 through 4.1 does not properly handle RPC commands, which allows guest OS users to cause a denial of service (memory overwrite and process crash) or possibly execute arbitrary code on the host OS via vectors involving data pointers. | ||||||||
family | windows | ||||||||
id | oval:org.mitre.oval:def:16810 | ||||||||
status | accepted | ||||||||
submitted | 2013-06-20T10:26:26.748+04:00 | ||||||||
title | VMware host memory overwrite vulnerability (data pointers) | ||||||||
version | 6 |
Packetstorm
data source | https://packetstormsecurity.com/files/download/112479/vmware-backdoor.txt |
id | PACKETSTORM:112479 |
last seen | 2016-12-05 |
published | 2012-05-06 |
reporter | Derek Soeder |
source | https://packetstormsecurity.com/files/112479/VMware-Backdoor-Response-Uninitialized-Memory-Potential-VM-Break.html |
title | VMware Backdoor Response Uninitialized Memory Potential VM Break |
References
- http://www.securityfocus.com/bid/53369
- http://www.securityfocus.com/bid/53369
- http://www.securitytracker.com/id?1027018
- http://www.securitytracker.com/id?1027018
- http://www.vmware.com/security/advisories/VMSA-2012-0009.html
- http://www.vmware.com/security/advisories/VMSA-2012-0009.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75373
- https://exchange.xforce.ibmcloud.com/vulnerabilities/75373
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16810
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16810