Vulnerabilities > CVE-2015-5191 - Race Condition vulnerability in VMWare Tools
Attack vector
LOCAL Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0702-1.NASL description This update for open-vm-tools to 10.1.0 stable brings features, fixes bugs and security issues : - New vmware-namespace-cmd command line utility - GTK3 support - Common Agent Framework (CAF) - Guest authentication with xmlsec1 - Sub-command to push updated network information to the host on demand - Fix for quiesced snapshot failure leaving guest file system quiesced (bsc#1006796) - Fix for CVE-2015-5191 (bsc#1007600) - Report SLES for SAP 12 guest OS as SLES 12 (bsc#1013496) - Add udev rule to increase VMware virtual disk timeout values (bsc#994598) - Fix vmtoolsd init script to run vmtoolsd in background (bsc#971031) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97775 published 2017-03-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97775 title SUSE SLED12 / SLES12 Security Update : open-vm-tools (SUSE-SU-2017:0702-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2017:0702-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(97775); script_version("3.14"); script_cvs_date("Date: 2019/09/11 11:22:15"); script_cve_id("CVE-2015-5191"); script_name(english:"SUSE SLED12 / SLES12 Security Update : open-vm-tools (SUSE-SU-2017:0702-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for open-vm-tools to 10.1.0 stable brings features, fixes bugs and security issues : - New vmware-namespace-cmd command line utility - GTK3 support - Common Agent Framework (CAF) - Guest authentication with xmlsec1 - Sub-command to push updated network information to the host on demand - Fix for quiesced snapshot failure leaving guest file system quiesced (bsc#1006796) - Fix for CVE-2015-5191 (bsc#1007600) - Report SLES for SAP 12 guest OS as SLES 12 (bsc#1013496) - Add udev rule to increase VMware virtual disk timeout values (bsc#994598) - Fix vmtoolsd init script to run vmtoolsd in background (bsc#971031) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1006796" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1007600" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1011057" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1013496" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1024200" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=971031" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=994598" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2015-5191/" ); # https://www.suse.com/support/update/announcement/2017/suse-su-20170702-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?4b97a832" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 12-SP2:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-382=1 SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-382=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libvmtools0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libvmtools0-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:open-vm-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:open-vm-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:open-vm-tools-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:open-vm-tools-desktop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:open-vm-tools-desktop-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/28"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libvmtools0-10.1.0-8.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libvmtools0-debuginfo-10.1.0-8.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-10.1.0-8.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-debuginfo-10.1.0-8.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-debugsource-10.1.0-8.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-desktop-10.1.0-8.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-desktop-debuginfo-10.1.0-8.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libvmtools0-10.1.0-8.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libvmtools0-debuginfo-10.1.0-8.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-10.1.0-8.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-debuginfo-10.1.0-8.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-debugsource-10.1.0-8.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-desktop-10.1.0-8.1")) flag++; if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"open-vm-tools-desktop-debuginfo-10.1.0-8.1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "open-vm-tools"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2017-4B4154D6F6.NASL description Fix /tmp race conditions in libDeployPkg (CVE-2015-5191). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-04 plugin id 102185 published 2017-08-04 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102185 title Fedora 25 : open-vm-tools (2017-4b4154d6f6) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0705-1.NASL description This update for open-vm-tools to 10.1.0 stable brings features, fixes bugs and security issues : - New vmware-namespace-cmd command line utility - GTK3 support - Common Agent Framework (CAF) - Guest authentication with xmlsec1 - Sub-command to push updated network information to the host on demand - Fix for quiesced snapshot failure leaving guest file system quiesced (bsc#1006796) - Fix for CVE-2015-5191 (bsc#1007600) - Report SLES for SAP 12 guest OS as SLES 12 (bsc#1013496) - Add udev rule to increase VMware virtual disk timeout values (bsc#994598) - Fix vmtoolsd init script to run vmtoolsd in background (bsc#971031) - Fix copy-n-paste and drag-n-drop regressions (bsc#978424) - Add new vmblock-fuse.service - Fix a suspend with systemd issue (bsc#913727) - ESXi Serviceability - GuestInfo Enhancements - Compatibility with all supported versions of VMware vSphere, VMware Workstation 12.0 and VMware Fusion 8.0. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97777 published 2017-03-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97777 title SUSE SLES11 Security Update : open-vm-tools (SUSE-SU-2017:0705-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0701-1.NASL description This update for open-vm-tools to 10.1.0 stable brings features, fixes bugs and security issues : - New vmware-namespace-cmd command line utility - GTK3 support - Common Agent Framework (CAF) - Guest authentication with xmlsec1 - Sub-command to push updated network information to the host on demand - Fix for quiesced snapshot failure leaving guest file system quiesced (bsc#1006796) - Fix for CVE-2015-5191 (bsc#1007600) - Report SLES for SAP 12 guest OS as SLES 12 (bsc#1013496) - Add udev rule to increase VMware virtual disk timeout values (bsc#994598) - Fix vmtoolsd init script to run vmtoolsd in background (bsc#971031) - Fix copy-n-paste and drag-n-drop regressions (bsc#978424) - Add new vmblock-fuse.service - Fix a suspend with systemd issue (bsc#913727) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 97774 published 2017-03-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97774 title SUSE SLED12 / SLES12 Security Update : open-vm-tools (SUSE-SU-2017:0701-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-276.NASL description This update for open-vm-tools fixes the following issues : - Updated to 10.1.0 stable release (boo#1011057) + vmware-namespace-cmd command line utility. + gtk3 support + Common Agent Framework (CAF) + guest authentication with xmlsec1 + FreeBSD support + sub-command to push updated network information to the host on demand + udev rules for configuring SCSI timeouts in the guest + fixes for Ubuntu 16.10 + Fix for quiesced snapshot failure leaving guest file system quiesced (boo#1006796) + Fix for CVE-2015-5191 (boo#1007600) - Report SLES12-SAP guest OS as SLES12 (boo#1013496) - Remove building KMP modules. No longer needed or wanted for current releases. User space tool vmhgfs-fuse has replaced the need for vmhgfs kernel module. - Add udev rule to increase VMware virtual disk timeout values (boo#994598) - Fix vmtoolsd init script to run vmtoolsd in background. (boo#971031) + fix originally done in SLE-11-SP4 code base by [email protected] - Added patches for GCC 6 build failure (boo#985110) - Update to 10.0.7-gtk3 stable branch + add support for gtk3, needed by the dndcp and resolutionset plugins + remove files generated by autoreconf + a few minor build fixes - Update fixes copy-n-paste and drag-n-drop regressions (boo#978424) - Added new vmblock-fuse.service - Update to 10.0.7 stable branch + Added namespace command line utility last seen 2020-06-05 modified 2017-02-21 plugin id 97285 published 2017-02-21 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97285 title openSUSE Security Update : open-vm-tools (openSUSE-2017-276) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-385.NASL description This update for open-vm-tools to 10.1.0 stable brings features, fixes bugs and security issues : - New vmware-namespace-cmd command line utility - GTK3 support - Common Agent Framework (CAF) - Guest authentication with xmlsec1 - Sub-command to push updated network information to the host on demand - Fix for quiesced snapshot failure leaving guest file system quiesced (bsc#1006796) - Fix for CVE-2015-5191 (bsc#1007600) - Report SLES for SAP 12 guest OS as SLES 12 (bsc#1013496) - Add udev rule to increase VMware virtual disk timeout values (bsc#994598) - Fix vmtoolsd init script to run vmtoolsd in background (bsc#971031) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-03-28 plugin id 99019 published 2017-03-28 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99019 title openSUSE Security Update : open-vm-tools (openSUSE-2017-385) NASL family Fedora Local Security Checks NASL id FEDORA_2017-08EC8B6DC4.NASL description Fix /tmp race conditions in libDeployPkg (CVE-2015-5191). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-27 plugin id 101986 published 2017-07-27 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101986 title Fedora 26 : open-vm-tools (2017-08ec8b6dc4)