Vulnerabilities > CVE-2015-5191 - Race Condition vulnerability in VMWare Tools

047910
CVSS 6.7 - MEDIUM
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
high complexity
vmware
CWE-362
nessus

Summary

VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0702-1.NASL
    descriptionThis update for open-vm-tools to 10.1.0 stable brings features, fixes bugs and security issues : - New vmware-namespace-cmd command line utility - GTK3 support - Common Agent Framework (CAF) - Guest authentication with xmlsec1 - Sub-command to push updated network information to the host on demand - Fix for quiesced snapshot failure leaving guest file system quiesced (bsc#1006796) - Fix for CVE-2015-5191 (bsc#1007600) - Report SLES for SAP 12 guest OS as SLES 12 (bsc#1013496) - Add udev rule to increase VMware virtual disk timeout values (bsc#994598) - Fix vmtoolsd init script to run vmtoolsd in background (bsc#971031) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97775
    published2017-03-16
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97775
    titleSUSE SLED12 / SLES12 Security Update : open-vm-tools (SUSE-SU-2017:0702-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:0702-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97775);
      script_version("3.14");
      script_cvs_date("Date: 2019/09/11 11:22:15");
    
      script_cve_id("CVE-2015-5191");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : open-vm-tools (SUSE-SU-2017:0702-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for open-vm-tools to 10.1.0 stable brings features, fixes
    bugs and security issues :
    
      - New vmware-namespace-cmd command line utility
    
      - GTK3 support
    
      - Common Agent Framework (CAF)
    
      - Guest authentication with xmlsec1
    
      - Sub-command to push updated network information to the
        host on demand
    
      - Fix for quiesced snapshot failure leaving guest file
        system quiesced (bsc#1006796)
    
      - Fix for CVE-2015-5191 (bsc#1007600)
    
      - Report SLES for SAP 12 guest OS as SLES 12 (bsc#1013496)
    
      - Add udev rule to increase VMware virtual disk timeout
        values (bsc#994598)
    
      - Fix vmtoolsd init script to run vmtoolsd in background
        (bsc#971031)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006796"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1007600"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1011057"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013496"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1024200"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=971031"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=994598"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2015-5191/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20170702-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4b97a832"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2017-382=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2017-382=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libvmtools0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libvmtools0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:open-vm-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:open-vm-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:open-vm-tools-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:open-vm-tools-desktop");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:open-vm-tools-desktop-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libvmtools0-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libvmtools0-debuginfo-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-debuginfo-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-debugsource-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-desktop-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-desktop-debuginfo-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libvmtools0-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libvmtools0-debuginfo-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-debuginfo-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-debugsource-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-desktop-10.1.0-8.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-desktop-debuginfo-10.1.0-8.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "open-vm-tools");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-4B4154D6F6.NASL
    descriptionFix /tmp race conditions in libDeployPkg (CVE-2015-5191). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-04
    plugin id102185
    published2017-08-04
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102185
    titleFedora 25 : open-vm-tools (2017-4b4154d6f6)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0705-1.NASL
    descriptionThis update for open-vm-tools to 10.1.0 stable brings features, fixes bugs and security issues : - New vmware-namespace-cmd command line utility - GTK3 support - Common Agent Framework (CAF) - Guest authentication with xmlsec1 - Sub-command to push updated network information to the host on demand - Fix for quiesced snapshot failure leaving guest file system quiesced (bsc#1006796) - Fix for CVE-2015-5191 (bsc#1007600) - Report SLES for SAP 12 guest OS as SLES 12 (bsc#1013496) - Add udev rule to increase VMware virtual disk timeout values (bsc#994598) - Fix vmtoolsd init script to run vmtoolsd in background (bsc#971031) - Fix copy-n-paste and drag-n-drop regressions (bsc#978424) - Add new vmblock-fuse.service - Fix a suspend with systemd issue (bsc#913727) - ESXi Serviceability - GuestInfo Enhancements - Compatibility with all supported versions of VMware vSphere, VMware Workstation 12.0 and VMware Fusion 8.0. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97777
    published2017-03-16
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97777
    titleSUSE SLES11 Security Update : open-vm-tools (SUSE-SU-2017:0705-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0701-1.NASL
    descriptionThis update for open-vm-tools to 10.1.0 stable brings features, fixes bugs and security issues : - New vmware-namespace-cmd command line utility - GTK3 support - Common Agent Framework (CAF) - Guest authentication with xmlsec1 - Sub-command to push updated network information to the host on demand - Fix for quiesced snapshot failure leaving guest file system quiesced (bsc#1006796) - Fix for CVE-2015-5191 (bsc#1007600) - Report SLES for SAP 12 guest OS as SLES 12 (bsc#1013496) - Add udev rule to increase VMware virtual disk timeout values (bsc#994598) - Fix vmtoolsd init script to run vmtoolsd in background (bsc#971031) - Fix copy-n-paste and drag-n-drop regressions (bsc#978424) - Add new vmblock-fuse.service - Fix a suspend with systemd issue (bsc#913727) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97774
    published2017-03-16
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97774
    titleSUSE SLED12 / SLES12 Security Update : open-vm-tools (SUSE-SU-2017:0701-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-276.NASL
    descriptionThis update for open-vm-tools fixes the following issues : - Updated to 10.1.0 stable release (boo#1011057) + vmware-namespace-cmd command line utility. + gtk3 support + Common Agent Framework (CAF) + guest authentication with xmlsec1 + FreeBSD support + sub-command to push updated network information to the host on demand + udev rules for configuring SCSI timeouts in the guest + fixes for Ubuntu 16.10 + Fix for quiesced snapshot failure leaving guest file system quiesced (boo#1006796) + Fix for CVE-2015-5191 (boo#1007600) - Report SLES12-SAP guest OS as SLES12 (boo#1013496) - Remove building KMP modules. No longer needed or wanted for current releases. User space tool vmhgfs-fuse has replaced the need for vmhgfs kernel module. - Add udev rule to increase VMware virtual disk timeout values (boo#994598) - Fix vmtoolsd init script to run vmtoolsd in background. (boo#971031) + fix originally done in SLE-11-SP4 code base by [email protected] - Added patches for GCC 6 build failure (boo#985110) - Update to 10.0.7-gtk3 stable branch + add support for gtk3, needed by the dndcp and resolutionset plugins + remove files generated by autoreconf + a few minor build fixes - Update fixes copy-n-paste and drag-n-drop regressions (boo#978424) - Added new vmblock-fuse.service - Update to 10.0.7 stable branch + Added namespace command line utility
    last seen2020-06-05
    modified2017-02-21
    plugin id97285
    published2017-02-21
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97285
    titleopenSUSE Security Update : open-vm-tools (openSUSE-2017-276)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-385.NASL
    descriptionThis update for open-vm-tools to 10.1.0 stable brings features, fixes bugs and security issues : - New vmware-namespace-cmd command line utility - GTK3 support - Common Agent Framework (CAF) - Guest authentication with xmlsec1 - Sub-command to push updated network information to the host on demand - Fix for quiesced snapshot failure leaving guest file system quiesced (bsc#1006796) - Fix for CVE-2015-5191 (bsc#1007600) - Report SLES for SAP 12 guest OS as SLES 12 (bsc#1013496) - Add udev rule to increase VMware virtual disk timeout values (bsc#994598) - Fix vmtoolsd init script to run vmtoolsd in background (bsc#971031) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-03-28
    plugin id99019
    published2017-03-28
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99019
    titleopenSUSE Security Update : open-vm-tools (openSUSE-2017-385)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-08EC8B6DC4.NASL
    descriptionFix /tmp race conditions in libDeployPkg (CVE-2015-5191). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-27
    plugin id101986
    published2017-07-27
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101986
    titleFedora 26 : open-vm-tools (2017-08ec8b6dc4)