Vulnerabilities > CVE-2015-2342 - Remote Code Execution vulnerability in VMware vCenter Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The JMX RMI service in VMware vCenter Server 5.0 before u3e, 5.1 before u3b, 5.5 before u3, and 6.0 before u1 does not restrict registration of MBeans, which allows remote attackers to execute arbitrary code via the RMI protocol. <a href="https://cwe.mitre.org/data/definitions/415.html">CWE-415: Double Free</a>
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Exploit-Db
| description | Java JMX Server Insecure Configuration Java Code Execution. CVE-2015-2342. Remote exploit for java platform |
| id | EDB-ID:36101 |
| last seen | 2016-02-04 |
| modified | 2015-02-17 |
| published | 2015-02-17 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/36101/ |
| title | Java JMX Server Insecure Configuration Java Code Execution |
Metasploit
description This module takes advantage a Java JMX interface insecure configuration, which would allow loading classes from any remote (HTTP) URL. JMX interfaces with authentication disabled (com.sun.management.jmxremote.authenticate=false) should be vulnerable, while interfaces with authentication enabled will be vulnerable only if a weak configuration is deployed (allowing to use javax.management.loading.MLet, having a security manager allowing to load a ClassLoader MBean, etc.). id MSF:EXPLOIT/MULTI/MISC/JAVA_JMX_SERVER last seen 2020-06-13 modified 2018-08-20 published 2015-01-21 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/java_jmx_server.rb title Java JMX Server Insecure Configuration Java Code Execution description Detect Java JMX endpoints id MSF:AUXILIARY/SCANNER/MISC/JAVA_JMX_SERVER last seen 2020-06-05 modified 2018-12-19 published 2018-07-30 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/misc/java_jmx_server.rb title Java JMX Server Insecure Endpoint Code Execution Scanner
Nessus
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2015-0007.NASL description The remote VMware ESXi host is affected by a remote code execution vulnerability due to a double-free error in the SLPDProcessMessage() function in OpenSLP. An unauthenticated, remote attacker can exploit this, via a crafted package, to execute arbitrary code or cause a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 86254 published 2015-10-03 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86254 title VMSA-2015-0007 : VMware vCenter and ESXi updates address critical security issues NASL family Misc. NASL id VMWARE_ESXI_5_1_BUILD_3021178_REMOTE.NASL description The remote VMware ESXi host is version 5.1 prior to build 3021178. It is, therefore, affected by a remote code execution vulnerability due to a double-free error in the SLPDProcessMessage() function in OpenSLP. An unauthenticated, remote attacker can exploit this, via a crafted package, to execute arbitrary code or cause a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 86946 published 2015-11-19 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86946 title VMware ESXi 5.1 < Build 3021178 OpenSLP RCE (VMSA-2015-0007) NASL family Misc. NASL id VMWARE_ESXI_5_5_BUILD_3029944_REMOTE.NASL description The remote VMware ESXi host is version 5.5 prior to build 3029944. It is, therefore, affected by a remote code execution vulnerability due to a double-free error in the SLPDProcessMessage() function in OpenSLP. An unauthenticated, remote attacker can exploit this, via a crafted package, to execute arbitrary code or cause a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 86947 published 2015-11-19 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86947 title VMware ESXi 5.5 < Build 3029944 OpenSLP RCE (VMSA-2015-0007) NASL family Misc. NASL id VMWARE_VCENTER_VMSA-2015-0007.NASL description The VMware vCenter Server installed on the remote host is affected by the following vulnerabilities : - A flaw exists in the vpxd service due to improper sanitization of long heartbeat messages. An unauthenticated, remote attacker can exploit this to cause a denial of service. (CVE-2015-1047) - A flaw exists due to an insecurely configured and remotely accessible JMX RMI service. An unauthenticated, remote attacker can exploit this, via an MLet file, to execute arbitrary code on the vCenter server with the same privileges as the web server. (CVE-2015-2342) last seen 2020-06-01 modified 2020-06-02 plugin id 86255 published 2015-10-02 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86255 title VMware vCenter Multiple Vulnerabilities (VMSA-2015-0007) NASL family Misc. NASL id VMWARE_ESXI_5_0_BUILD_3021432_REMOTE.NASL description The remote VMware ESXi host is version 5.0 prior to build 3021432. It is, therefore, affected by a remote code execution vulnerability due to a double-free error in the SLPDProcessMessage() function in OpenSLP. An unauthenticated, remote attacker can exploit this, via a crafted package, to execute arbitrary code or cause a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 86945 published 2015-11-19 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86945 title VMware ESXi 5.0 < Build 3021432 OpenSLP RCE (VMSA-2015-0007)
References
- http://seclists.org/fulldisclosure/2015/Oct/1
- http://www.securityfocus.com/bid/76930
- http://www.securitytracker.com/id/1033720
- http://www.vmware.com/security/advisories/VMSA-2015-0007.html
- http://www.zerodayinitiative.com/advisories/ZDI-15-455
- https://www.7elements.co.uk/resources/technical-advisories/cve-2015-2342-vmware-vcenter-remote-code-execution/