Vulnerabilities > CVE-2012-2448 - Buffer Errors vulnerability in VMWare ESX and Esxi
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
VMware ESXi 3.5 through 5.0 and ESX 3.5 through 4.1 allow remote attackers to execute arbitrary code or cause a denial of service (memory overwrite) via NFS traffic.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 17 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2012-0009.NASL description a. VMware host memory overwrite vulnerability (data pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate data pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Configure virtual machines to use less than 4 GB of memory. Virtual machines that have less than 4GB of memory are not affected. OR - Disable VIX messages from each guest VM by editing the configuration file (.vmx) for the virtual machine as described in VMware Knowledge Base article 1714. Add the following line : isolation.tools.vixMessage.disable = last seen 2020-06-01 modified 2020-06-02 plugin id 58977 published 2012-05-04 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58977 title VMSA-2012-0009 : VMware Workstation, Player, Fusion, ESXi and ESX patches address critical security issues code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2012-0009. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(58977); script_version("1.16"); script_cvs_date("Date: 2018/08/07 11:56:11"); script_cve_id("CVE-2012-1516", "CVE-2012-1517", "CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450"); script_bugtraq_id(53369, 53371); script_xref(name:"VMSA", value:"2012-0009"); script_name(english:"VMSA-2012-0009 : VMware Workstation, Player, Fusion, ESXi and ESX patches address critical security issues"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESXi / ESX host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. VMware host memory overwrite vulnerability (data pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate data pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Configure virtual machines to use less than 4 GB of memory. Virtual machines that have less than 4GB of memory are not affected. OR - Disable VIX messages from each guest VM by editing the configuration file (.vmx) for the virtual machine as described in VMware Knowledge Base article 1714. Add the following line : isolation.tools.vixMessage.disable = 'TRUE'. Note: This workaround is not valid for Workstation 7.x and Fusion 3.x Mitigation - Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1516 to this issue. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. b. VMware host memory overwrite vulnerability (function pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate function pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - None identified Mitigation - Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1517 to this issue. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. c. ESX NFS traffic parsing vulnerability Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. Workaround - None identified Mitigation - Connect only to trusted NFS servers - Segregate the NFS network - Harden your NFS server The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2448 to this issue. d. VMware floppy device out-of-bounds memory write Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Mitigation - Do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2449 to this issue. e. VMware SCSI device unchecked memory write Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Mitigation - Do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2450 to this issue." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000182.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:3.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2012-05-03"); flag = 0; if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201205401-SG")) flag++; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-201105201-UG", patch_updates : make_list("ESX400-Update03", "ESX400-Update04") ) ) flag++; if ( esx_check( ver : "ESX 4.0", patch : "ESX400-201205401-SG", patch_updates : make_list("ESX400-201206401-SG", "ESX400-201209401-SG", "ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201110201-SG", patch_updates : make_list("ESX410-201201401-SG", "ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update02", "ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201201401-SG", patch_updates : make_list("ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update03") ) ) flag++; if ( esx_check( ver : "ESX 4.1", patch : "ESX410-201205401-SG", patch_updates : make_list("ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update03") ) ) flag++; if (esx_check(ver:"ESXi 3.5.0", patch:"ESXe350-201205401-I-SG")) flag++; if (esx_check(ver:"ESXi 4.0", patch:"ESXi400-201105201-UG")) flag++; if ( esx_check( ver : "ESXi 4.0", patch : "ESXi400-201205401-SG", patch_updates : make_list("ESXi400-201206401-SG", "ESXi400-201209401-SG", "ESXi400-201302401-SG", "ESXi400-201305401-SG", "ESXi400-201310401-SG", "ESXi400-201404401-SG") ) ) flag++; if ( esx_check( ver : "ESXi 4.1", patch : "ESXi410-201110201-SG", patch_updates : make_list("ESXi410-201201401-SG", "ESXi410-201204401-SG", "ESXi410-201205401-SG", "ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update02", "ESXi410-Update03") ) ) flag++; if ( esx_check( ver : "ESXi 4.1", patch : "ESXi410-201201401-SG", patch_updates : make_list("ESXi410-201204401-SG", "ESXi410-201205401-SG", "ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update03") ) ) flag++; if ( esx_check( ver : "ESXi 4.1", patch : "ESXi410-201205401-SG", patch_updates : make_list("ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update03") ) ) flag++; if (esx_check(ver:"ESXi 5.0", vib:"VMware:esx-base:5.0.0-1.13.702118")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Misc. NASL id VMWARE_VMSA-2012-0009_REMOTE.NASL description The remote VMware ESX / ESXi host is affected by multiple vulnerabilities : - Multiple privilege escalation vulnerabilities exist due to improper handling of RPC commands. A local attacker (guest user) can exploit these to manipulate data and function pointers, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-1516, CVE-2012-1517) - A remote code execution vulnerability exists due to improper sanitization of user-supplied input when parsing NFS traffic. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2012-2448) - Multiple privilege escalation vulnerabilities exist due to an error that occurs in virtual floppy devices and SCSI devices. A local attacker (guest user) can exploit these to cause an out-of-bounds write error, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-2449, CVE-2012-2450) last seen 2020-06-01 modified 2020-06-02 plugin id 89035 published 2016-02-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/89035 title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0009) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(89035); script_version("1.4"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2012-1516", "CVE-2012-1517", "CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450" ); script_bugtraq_id(53369, 53371); script_xref(name:"VMSA", value:"2012-0009"); script_name(english:"VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0009) (remote check)"); script_summary(english:"Checks the ESX / ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESX / ESXi host is missing a security-related patch."); script_set_attribute(attribute:"description", value: "The remote VMware ESX / ESXi host is affected by multiple vulnerabilities : - Multiple privilege escalation vulnerabilities exist due to improper handling of RPC commands. A local attacker (guest user) can exploit these to manipulate data and function pointers, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-1516, CVE-2012-1517) - A remote code execution vulnerability exists due to improper sanitization of user-supplied input when parsing NFS traffic. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2012-2448) - Multiple privilege escalation vulnerabilities exist due to an error that occurs in virtual floppy devices and SCSI devices. A local attacker (guest user) can exploit these to cause an out-of-bounds write error, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-2449, CVE-2012-2450)"); script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the vendor advisory that pertains to ESX version 3.5 / 4.0 / 4.1 or ESXi version 3.5 / 4.0 / 4.1 / 5.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/03"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/02/29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); script_require_ports("Host/VMware/vsphere"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("Host/VMware/version"); release = get_kb_item_or_exit("Host/VMware/release"); port = get_kb_item_or_exit("Host/VMware/vsphere"); # Version + build map # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014508 fixes = make_array(); # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2019536 fixes["ESX 3.5"] = 702112; # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2019538 fixes["ESXi 3.5"] = 702112; fixes["ESX 4.0"] = 702116; fixes["ESXi 4.0"] = 702116; fixes["ESX 4.1"] = 702113; fixes["ESXi 4.1"] = 702113; fixes["ESXi 5.0"] = 702118; matches = eregmatch(pattern:'^VMware (ESXi?).*build-([0-9]+)$', string:release); if (empty_or_null(matches)) exit(1, 'Failed to extract the ESX / ESXi build number.'); type = matches[1]; build = int(matches[2]); fixed_build = fixes[version]; if (!isnull(fixed_build) && build < fixed_build) { padding = crap(data:" ", length:8 - strlen(type)); # Spacing alignment report = '\n ' + type + ' version' + padding + ': ' + version + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(extra:report, port:port, severity:SECURITY_HOLE); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware " + version + " build " + build);NASL family Gain a shell remotely NASL id VMWARE_ESX_NFS_RCE.NASL description The remote VMware ESX/ESXi host is affected by the following security vulnerabilities : - ESX NFS traffic parsing vulnerability: Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. (CVE-2012-2448) - VMware floppy device out-of-bounds memory write: Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2449) - VMware SCSI device unchecked memory write: Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2450) last seen 2020-06-01 modified 2020-06-02 plugin id 59447 published 2012-06-11 reporter This script is (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59447 title VMSA-2012-0009 : ESXi and ESX patches address critical security issues (uncredentialed check) code # # (C) Tenable Network Security, Inc. # # The text of this plugin is (C) VMware Inc. # include("compat.inc"); if (description) { script_id(59447); script_version("1.6"); script_cvs_date("Date: 2019/12/04"); script_cve_id("CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450"); script_xref(name:"VMSA", value:"2012-0009"); script_name(english:"VMSA-2012-0009 : ESXi and ESX patches address critical security issues (uncredentialed check)"); script_summary(english:"Checks ESX/ESXi version and build number"); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESX/ESXi host is affected by multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote VMware ESX/ESXi host is affected by the following security vulnerabilities : - ESX NFS traffic parsing vulnerability: Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. (CVE-2012-2448) - VMware floppy device out-of-bounds memory write: Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2449) - VMware SCSI device unchecked memory write: Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2450)"); script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html"); script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000175.html"); script_set_attribute(attribute:"solution", value: "Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is (C) 2012-2019 Tenable Network Security, Inc."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); exit(0); } include('audit.inc'); include("global_settings.inc"); include('misc_func.inc'); # build number of the patched system fix = make_array( "ESXi 5.0", 702118, "ESXi 4.1", 702113, "ESXi 4.0", 702116, "ESXi 3.5.0", 702112, # also fixes CVE-2012-1516 "ESX 4.1", 702113, "ESX 4.0", 702116, "ESX 3.5.0", 702112);# also fixes CVE-2012-1516 ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); # extract build number match = eregmatch(pattern:'^VMware ESXi?.*build-([0-9]+)$', string: rel); if(isnull(match)) exit(1, 'Cannot determine ESX/ESXi build number.'); build = match[1]; if(build < fix[ver]) { if (report_verbosity > 0) { if ("ESXi" >< rel) { line1 = "ESXi version"; line2 = "ESXi release"; } else { line1 = "ESX version "; line2 = "ESX release "; } report = '\n ' + line1 + ' : ' + ver + '\n ' + line2 + ' : ' + rel + '\n Installed build : ' + build + '\n Fixed build : ' + fix[ver] + '\n'; security_hole(port:0, extra:report); } else security_hole(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Misc. NASL id VMWARE_ESXI_5_0_BUILD_702118_REMOTE.NASL description The remote VMware ESXi 5.0 host is affected by the following security vulnerabilities : - An error exists related to NFS traffic handling that could allow memory corruption leading to execution of arbitrary code. (CVE-2012-2448) - Out-of-bounds write errors exist related to virtual floppy disc devices and virtual SCSI devices that could allow local privilege escalation. (CVE-2012-2449, CVE-2012-2450) last seen 2020-06-01 modified 2020-06-02 plugin id 70882 published 2013-11-13 reporter This script is (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/70882 title ESXi 5.0 < Build 702118 Multiple Vulnerabilities (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(70882); script_version("1.5"); script_cvs_date("Date: 2018/08/06 14:03:14"); script_cve_id("CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450"); script_bugtraq_id(53369, 53371); script_xref(name:"VMSA", value:"2012-0009"); script_name(english:"ESXi 5.0 < Build 702118 Multiple Vulnerabilities (remote check)"); script_summary(english:"Checks ESXi version and build number"); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi 5.0 host is affected by multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote VMware ESXi 5.0 host is affected by the following security vulnerabilities : - An error exists related to NFS traffic handling that could allow memory corruption leading to execution of arbitrary code. (CVE-2012-2448) - Out-of-bounds write errors exist related to virtual floppy disc devices and virtual SCSI devices that could allow local privilege escalation. (CVE-2012-2449, CVE-2012-2450)"); # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2019857 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?da8aca2a"); script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html"); script_set_attribute(attribute:"solution", value: "Apply patch ESXi500-201205401-SG. Alternatively, implement the workaround referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/03"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is (C) 2013-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi"); if ("VMware ESXi 5.0" >!< rel) audit(AUDIT_OS_NOT, "ESXi 5.0"); match = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel); if (isnull(match)) exit(1, 'Failed to extract the ESXi build number.'); build = int(match[1]); fixed_build = 702118; if (build < fixed_build) { if (report_verbosity > 0) { report = '\n ESXi version : ' + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_hole(port:0, extra:report); } else security_hole(0); } else exit(0, "The host has "+ver+" build "+build+" and thus is not affected.");