Vulnerabilities > CVE-2012-2450 - Unspecified vulnerability in VMWare products

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from VMware Security Advisory 2012-0009. 
# The text itself is copyright (C) VMware Inc.
#

include("compat.inc");

if (description)
{
  script_id(58977);
  script_version("1.16");
  script_cvs_date("Date: 2018/08/07 11:56:11");

  script_cve_id("CVE-2012-1516", "CVE-2012-1517", "CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450");
  script_bugtraq_id(53369, 53371);
  script_xref(name:"VMSA", value:"2012-0009");

  script_name(english:"VMSA-2012-0009 : VMware Workstation, Player, Fusion, ESXi and ESX patches address critical security issues");
  script_summary(english:"Checks esxupdate output for the patches");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote VMware ESXi / ESX host is missing one or more
security-related patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"a. VMware host memory overwrite vulnerability (data pointers)

   Due to a flaw in the handler function for RPC commands, it is
   possible to manipulate data pointers within the VMX process.
   This vulnerability may allow a guest user to crash the VMX
   process or potentially execute code on the host.

   Workaround

   - Configure virtual machines to use less than 4 GB of memory.
     Virtual machines that have less than 4GB of memory are not
     affected.

     OR

   - Disable VIX messages from each guest VM by editing the
     configuration file (.vmx) for the virtual machine as described
     in VMware Knowledge Base article 1714. Add the following line :
     isolation.tools.vixMessage.disable = 'TRUE'.
     Note: This workaround is not valid for Workstation 7.x and
           Fusion 3.x

   Mitigation

   - Do not allow untrusted users access to your virtual machines.
     Root or Administrator level permissions are not required to
     exploit this issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2012-1516 to this issue.

   VMware would like to thank Derek Soeder of Ridgeway Internet
   Security, L.L.C. for reporting this issue to us.

b. VMware host memory overwrite vulnerability (function pointers)

   Due to a flaw in the handler function for RPC commands, it is
   possible to manipulate function pointers within the VMX process.
   This vulnerability may allow a guest user to crash the VMX
   process or potentially execute code on the host.

   Workaround

   - None identified

   Mitigation

   - Do not allow untrusted users access to your virtual machines.
     Root or Administrator level permissions are not required to
     exploit this issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2012-1517 to this issue.

   VMware would like to thank Derek Soeder of Ridgeway Internet
   Security, L.L.C. for reporting this issue to us.

c. ESX NFS traffic parsing vulnerability

   Due to a flaw in the handling of NFS traffic, it is possible to
   overwrite memory. This vulnerability may allow a user with
   access to the network to execute code on the ESXi/ESX host
   without authentication. The issue is not present in cases where
   there is no NFS traffic.

   Workaround
   - None identified

   Mitigation
   - Connect only to trusted NFS servers
   - Segregate the NFS network
   - Harden your NFS server

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2012-2448 to this issue.

d. VMware floppy device out-of-bounds memory write

   Due to a flaw in the virtual floppy configuration it is possible
   to perform an out-of-bounds memory write. This vulnerability may
   allow a guest user to crash the VMX process or potentially
   execute code on the host.

   Workaround

   - Remove the virtual floppy drive from the list of virtual IO
     devices. The VMware hardening guides recommend removing unused
     virtual IO devices in general.

   Mitigation

   - Do not allow untrusted root users in your virtual
     machines. Root or Administrator level permissions are required
     to exploit this issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2012-2449 to this issue.

e. VMware SCSI device unchecked memory write

   Due to a flaw in the SCSI device registration it is possible to
   perform an unchecked write into memory. This vulnerability may
   allow a guest user to crash the VMX process or potentially
   execute code on the host.

   Workaround

   - Remove the virtual SCSI controller from the list of virtual IO
     devices. The VMware hardening guides recommend removing unused
     virtual IO devices in general.

   Mitigation

   - Do not allow untrusted root users access to your virtual
     machines.  Root or Administrator level permissions are
     required to exploit this issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2012-2450 to this issue."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://lists.vmware.com/pipermail/security-announce/2012/000182.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:3.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/04");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"VMware ESX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
  script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");

  exit(0);
}


include("audit.inc");
include("vmware_esx_packages.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
if (
  !get_kb_item("Host/VMware/esxcli_software_vibs") &&
  !get_kb_item("Host/VMware/esxupdate")
) audit(AUDIT_PACKAGE_LIST_MISSING);


init_esx_check(date:"2012-05-03");
flag = 0;


if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201205401-SG")) flag++;

if (
  esx_check(
    ver           : "ESX 4.0",
    patch         : "ESX400-201105201-UG",
    patch_updates : make_list("ESX400-Update03", "ESX400-Update04")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 4.0",
    patch         : "ESX400-201205401-SG",
    patch_updates : make_list("ESX400-201206401-SG", "ESX400-201209401-SG", "ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG")
  )
) flag++;

if (
  esx_check(
    ver           : "ESX 4.1",
    patch         : "ESX410-201110201-SG",
    patch_updates : make_list("ESX410-201201401-SG", "ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update02", "ESX410-Update03")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 4.1",
    patch         : "ESX410-201201401-SG",
    patch_updates : make_list("ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update03")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 4.1",
    patch         : "ESX410-201205401-SG",
    patch_updates : make_list("ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update03")
  )
) flag++;

if (esx_check(ver:"ESXi 3.5.0", patch:"ESXe350-201205401-I-SG")) flag++;

if (esx_check(ver:"ESXi 4.0", patch:"ESXi400-201105201-UG")) flag++;
if (
  esx_check(
    ver           : "ESXi 4.0",
    patch         : "ESXi400-201205401-SG",
    patch_updates : make_list("ESXi400-201206401-SG", "ESXi400-201209401-SG", "ESXi400-201302401-SG", "ESXi400-201305401-SG", "ESXi400-201310401-SG", "ESXi400-201404401-SG")
  )
) flag++;

if (
  esx_check(
    ver           : "ESXi 4.1",
    patch         : "ESXi410-201110201-SG",
    patch_updates : make_list("ESXi410-201201401-SG", "ESXi410-201204401-SG", "ESXi410-201205401-SG", "ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update02", "ESXi410-Update03")
  )
) flag++;
if (
  esx_check(
    ver           : "ESXi 4.1",
    patch         : "ESXi410-201201401-SG",
    patch_updates : make_list("ESXi410-201204401-SG", "ESXi410-201205401-SG", "ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update03")
  )
) flag++;
if (
  esx_check(
    ver           : "ESXi 4.1",
    patch         : "ESXi410-201205401-SG",
    patch_updates : make_list("ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update03")
  )
) flag++;

if (esx_check(ver:"ESXi 5.0", vib:"VMware:esx-base:5.0.0-1.13.702118")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(59092);
  script_version("1.7");
  script_cvs_date("Date: 2019/12/04");

  script_cve_id(
    "CVE-2012-1516",
    "CVE-2012-1517",
    "CVE-2012-2449",
    "CVE-2012-2450"
  );
  script_bugtraq_id(53369);
  script_xref(name:"VMSA", value:"2012-0009");

  script_name(english:"VMware Workstation Multiple Vulnerabilities (VMSA-2012-0009)");
  script_summary(english:"Checks VMware Workstation version");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a virtualization application that is affected by 
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The VMware Workstation install detected on the remote host is 7.x
earlier than 7.1.6 or 8.0.x earlier than 8.0.3 and is, therefore,
potentially affected by the following vulnerabilities :

  - Memory corruption errors exist related to the
    RPC commands handler function which could cause the
    application to crash or possibly allow an attacker to
    execute arbitrary code. Note that these errors only
    affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517)

  - An error in the virtual floppy device configuration
    can allow out-of-bounds memory writes and can allow
    a guest user to crash the VMX process or potentially
    execute arbitrary code on the host. Note that root or
    administrator level privileges in the guest are required
    for successful exploitation along with the existence of
    a virtual floppy device in the guest. (CVE-2012-2449)

  - An error in the virtual SCSI device registration
    process can allow improper memory writes and can allow
    a guest user to crash the VMX process or potentially
    execute arbitrary code on the host. Note that root or
    administrator level privileges are required in the
    guest for successful exploitation along with the
    existence of a virtual SCSI device in the guest.
    (CVE-2012-2450)");
  script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html");
  script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000176.html");
  # https://www.vmware.com/support/ws71/doc/releasenotes_ws716.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dd5ac32f");
  # https://www.vmware.com/support/ws80/doc/releasenotes_workstation_803.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0a550479");
  script_set_attribute(attribute:"solution", value:
"Upgrade to VMware Workstation 7.1.6 / 8.0.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/06/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("vmware_workstation_detect.nasl");
  script_require_keys("SMB/Registry/Enumerated", "VMware/Workstation/Version");

  exit(0);
}

include("global_settings.inc");
include("audit.inc");
include("misc_func.inc");
include("smb_func.inc");


version = get_kb_item_or_exit("VMware/Workstation/Version");

vulnerable = NULL;

# 7.x
if (version =~ '^7\\.')
{
  fix = '7.1.6';
  vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE);
}

# 8.x
if (version =~ '^8\\.0')
{
  fix = '8.0.3';
  vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE);
}

if (vulnerable < 0)
{
  port = kb_smb_transport();

  if (report_verbosity > 0)
  {
    report += 
      '\n  Installed version : '+version+
      '\n  Fixed version     : ' + fix + '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole();
  exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, "VMware Workstation", version);

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(89035);
  script_version("1.4");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id(
    "CVE-2012-1516",
    "CVE-2012-1517",
    "CVE-2012-2448",
    "CVE-2012-2449",
    "CVE-2012-2450"
  );
  script_bugtraq_id(53369, 53371);
  script_xref(name:"VMSA", value:"2012-0009");

  script_name(english:"VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0009) (remote check)");
  script_summary(english:"Checks the ESX / ESXi version and build number.");

  script_set_attribute(attribute:"synopsis", value:
"The remote VMware ESX / ESXi host is missing a security-related patch.");
  script_set_attribute(attribute:"description", value:
"The remote VMware ESX / ESXi host is affected by multiple
vulnerabilities :

  - Multiple privilege escalation vulnerabilities exist due
    to improper handling of RPC commands. A local attacker
    (guest user) can exploit these to manipulate data and
    function pointers, resulting in a denial of service
    condition or the execution of arbitrary code on the host
    OS. (CVE-2012-1516, CVE-2012-1517)

  - A remote code execution vulnerability exists due to
    improper sanitization of user-supplied input when
    parsing NFS traffic. An unauthenticated, remote attacker
    can exploit this to corrupt memory, resulting in the
    execution of arbitrary code. (CVE-2012-2448)

  - Multiple privilege escalation vulnerabilities exist due
    to an error that occurs in virtual floppy devices and
    SCSI devices. A local attacker (guest user) can exploit
    these to cause an out-of-bounds write error, resulting
    in a denial of service condition or the execution of
    arbitrary code on the host OS. (CVE-2012-2449,
    CVE-2012-2450)");
  script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory that
pertains to ESX version 3.5 / 4.0 / 4.1 or ESXi version 3.5 / 4.0 /
4.1 / 5.0.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/02/29");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("vmware_vsphere_detect.nbin");
  script_require_keys("Host/VMware/version", "Host/VMware/release");
  script_require_ports("Host/VMware/vsphere");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

version = get_kb_item_or_exit("Host/VMware/version");
release = get_kb_item_or_exit("Host/VMware/release");
port    = get_kb_item_or_exit("Host/VMware/vsphere");

# Version + build map
# https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014508
fixes = make_array();
# https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2019536
fixes["ESX 3.5"]  = 702112;
# https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2019538
fixes["ESXi 3.5"] = 702112;
fixes["ESX 4.0"]  = 702116;
fixes["ESXi 4.0"] = 702116;
fixes["ESX 4.1"]  = 702113;
fixes["ESXi 4.1"] = 702113;
fixes["ESXi 5.0"] = 702118;

matches = eregmatch(pattern:'^VMware (ESXi?).*build-([0-9]+)$', string:release);
if (empty_or_null(matches))
  exit(1, 'Failed to extract the ESX / ESXi build number.');

type  = matches[1];
build = int(matches[2]);

fixed_build = fixes[version];

if (!isnull(fixed_build) && build < fixed_build)
{
  padding = crap(data:" ", length:8 - strlen(type)); # Spacing alignment
 
  report = '\n  ' + type + ' version' + padding + ': ' + version +
           '\n  Installed build : ' + build +
           '\n  Fixed build     : ' + fixed_build +
           '\n';

  security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);
}
else
  audit(AUDIT_INST_VER_NOT_VULN, "VMware " + version + " build " + build);

#
# (C) Tenable Network Security, Inc.
#
# The text of this plugin is (C) VMware Inc.
#

include("compat.inc");

if (description)
{
  script_id(59447);
  script_version("1.6");
  script_cvs_date("Date: 2019/12/04");

  script_cve_id("CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450");
  script_xref(name:"VMSA", value:"2012-0009");

  script_name(english:"VMSA-2012-0009 : ESXi and ESX patches address critical security issues (uncredentialed check)");
  script_summary(english:"Checks ESX/ESXi version and build number");

  script_set_attribute(attribute:"synopsis", value:
"The remote VMware ESX/ESXi host is affected by multiple security
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote VMware ESX/ESXi host is affected by the following security
vulnerabilities :

  - ESX NFS traffic parsing vulnerability:
    Due to a flaw in the handling of NFS traffic, it is
    possible to overwrite memory. This vulnerability may
    allow a user with access to the network to execute code
    on the ESXi/ESX host without authentication. The issue
    is not present in cases where there is no NFS traffic.
    (CVE-2012-2448)

  - VMware floppy device out-of-bounds memory write:
    Due to a flaw in the virtual floppy configuration it is
    possible to perform an out-of-bounds memory write. This
    vulnerability may allow a guest user to crash the VMX
    process or potentially execute code on the host. As a
    workaround, remove the virtual floppy drive from the
    list of virtual IO devices. The VMware hardening guides
    recommend removing unused virtual IO devices in general.
    Additionally, do not allow untrusted root users in your
    virtual machines. Root or Administrator level
    permissions are required to exploit this issue.
    (CVE-2012-2449)

  - VMware SCSI device unchecked memory write:
    Due to a flaw in the SCSI device registration it is
    possible to perform an unchecked write into memory.
    This vulnerability may allow a guest user to crash the
    VMX process or potentially execute code on the host. As
    a workaround, remove the virtual SCSI controller from
    the list of virtual IO devices. The VMware hardening
    guides recommend removing unused virtual IO devices in
    general. Additionally, do not allow untrusted root users
    access to your virtual machines. Root or Administrator
    level permissions are required to exploit this issue.
    (CVE-2012-2450)");
  script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html");
  script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000175.html");
  script_set_attribute(attribute:"solution", value:
"Apply the missing patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is (C) 2012-2019 Tenable Network Security, Inc.");

  script_dependencies("vmware_vsphere_detect.nbin");
  script_require_keys("Host/VMware/version", "Host/VMware/release");

  exit(0);
}

include('audit.inc');
include("global_settings.inc");
include('misc_func.inc');

# build number of the patched system
fix = make_array(
  "ESXi 5.0", 702118,
  "ESXi 4.1", 702113,
  "ESXi 4.0", 702116,
  "ESXi 3.5.0", 702112, # also fixes CVE-2012-1516
  "ESX 4.1",  702113,
  "ESX 4.0",  702116,
  "ESX 3.5.0",  702112);# also fixes CVE-2012-1516

ver = get_kb_item_or_exit("Host/VMware/version");
rel = get_kb_item_or_exit("Host/VMware/release");

# extract build number
match = eregmatch(pattern:'^VMware ESXi?.*build-([0-9]+)$', string: rel);
if(isnull(match)) exit(1, 'Cannot determine ESX/ESXi build number.');

build = match[1];

if(build < fix[ver])
{
  if (report_verbosity > 0)
  {
    if ("ESXi" >< rel)
    {
      line1 = "ESXi version";
      line2 = "ESXi release";
    }
    else
    {
      line1 = "ESX version ";
      line2 = "ESX release ";
    }

    report = '\n  ' + line1 + '      : ' + ver +
             '\n  ' + line2 + '      : ' + rel +
             '\n  Installed build   : ' + build +
             '\n  Fixed build       : ' + fix[ver] +
             '\n';
    security_hole(port:0, extra:report);
  }
  else security_hole(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(59091);
  script_version("1.6");
  script_cvs_date("Date: 2019/12/04");

  script_cve_id(
    "CVE-2012-1516",
    "CVE-2012-1517",
    "CVE-2012-2449",
    "CVE-2012-2450"
  );
  script_bugtraq_id(53369);
  script_xref(name:"VMSA", value:"2012-0009");

  script_name(english:"VMware Player Multiple Vulnerabilities (VMSA-2012-0009)");
  script_summary(english:"Checks VMware Player version");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a virtualization application affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The VMware Player install detected on the remote host is 3.x earlier
than 3.1.6, or 4.0.x earlier than 4.0.3 and is, therefore,  potentially
affected by the following vulnerabilities :

  - Memory corruption errors exist related to the
    RPC commands handler function which could cause the
    application to crash or possibly allow an attacker to
    execute arbitrary code. Note that these errors only
    affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517)

  - An error in the virtual floppy device configuration
    can allow out-of-bounds memory writes and can allow
    a guest user to crash the VMX process or potentially
    execute arbitrary code on the host. Note that root or
    administrator level privileges in the guest are required
    for successful exploitation along with the existence of
    a virtual floppy device in the guest. (CVE-2012-2449)

  - An error in the virtual SCSI device registration
    process can allow improper memory writes and can allow
    a guest user to crash the VMX process or potentially
    execute arbitrary code on the host. Note that root or
    administrator level privileges are required in the
    guest for successful exploitation along with the
    existence of a virtual SCSI device in the guest.
    (CVE-2012-2450)");
  script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html");
  script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2012/000176.html");
  # https://www.vmware.com/support/player31/doc/releasenotes_player316.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?acb1cf3a");
  # https://www.vmware.com/support/player40/doc/releasenotes_player403.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?258456c3");
  script_set_attribute(attribute:"solution", value:
"Upgrade to VMware Player 3.1.6 / 4.0.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/06/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:player");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("vmware_player_detect.nasl");
  script_require_keys("SMB/Registry/Enumerated", "VMware/Player/Version");

  exit(0);
}

include("global_settings.inc");
include("audit.inc");
include("misc_func.inc");
include("smb_func.inc");


version = get_kb_item_or_exit("VMware/Player/Version");

vulnerable = NULL;

if (version =~ '^3\\.')
{
  fix = '3.1.6';
  vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE);
}

if (version =~ '^4\\.0')
{
  fix = '4.0.3';
  vulnerable = ver_compare(ver:version, fix:fix, strict:FALSE);
}

if (vulnerable < 0)
{
  port = kb_smb_transport();

  if (report_verbosity > 0)
  {
    report =
      '\n  Installed version : '+version+
      '\n  Fixed version     : ' + fix + '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole();
}
else audit(AUDIT_INST_VER_NOT_VULN, "VMware Player", version);

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(70882);
  script_version("1.5");
  script_cvs_date("Date: 2018/08/06 14:03:14");

  script_cve_id("CVE-2012-2448", "CVE-2012-2449", "CVE-2012-2450");
  script_bugtraq_id(53369, 53371);
  script_xref(name:"VMSA", value:"2012-0009");

  script_name(english:"ESXi 5.0 < Build 702118 Multiple Vulnerabilities (remote check)");
  script_summary(english:"Checks ESXi version and build number");

  script_set_attribute(attribute:"synopsis", value:
"The remote VMware ESXi 5.0 host is affected by multiple security
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote VMware ESXi 5.0 host is affected by the following security
vulnerabilities :

  - An error exists related to NFS traffic handling that
    could allow memory corruption leading to execution of
    arbitrary code. (CVE-2012-2448)

  - Out-of-bounds write errors exist related to virtual
    floppy disc devices and virtual SCSI devices that could
    allow local privilege escalation. (CVE-2012-2449,
    CVE-2012-2450)");
  # https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=2019857
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?da8aca2a");
  script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2012-0009.html");
  script_set_attribute(attribute:"solution", value:
"Apply patch ESXi500-201205401-SG. Alternatively, implement the
workaround referenced in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/05/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/11/13");

  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is (C) 2013-2018 Tenable Network Security, Inc.");
  script_family(english:"Misc.");

  script_dependencies("vmware_vsphere_detect.nbin");
  script_require_keys("Host/VMware/version", "Host/VMware/release");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

ver = get_kb_item_or_exit("Host/VMware/version");
rel = get_kb_item_or_exit("Host/VMware/release");

if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi");
if ("VMware ESXi 5.0" >!< rel) audit(AUDIT_OS_NOT, "ESXi 5.0");

match = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);
if (isnull(match)) exit(1, 'Failed to extract the ESXi build number.');

build = int(match[1]);
fixed_build = 702118;

if (build < fixed_build)
{
  if (report_verbosity > 0)
  {
    report = '\n  ESXi version    : ' + ver +
             '\n  Installed build : ' + build +
             '\n  Fixed build     : ' + fixed_build +
             '\n';
    security_hole(port:0, extra:report);
  }
  else security_hole(0);
}
else exit(0, "The host has "+ver+" build "+build+" and thus is not affected.");