Vulnerabilities > CVE-2017-4903 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in VMWare products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi600-201703403-SG, 6.0 U1 without patch ESXi600-201703402-SG, and 5.5 without patch ESXi550-201703401-SG; Workstation Pro / Player 12.x prior to 12.5.5; and Fusion Pro / Fusion 8.x prior to 8.5.6 have an uninitialized stack memory usage in SVGA. This issue may allow a guest to execute code on the host.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_FUSION_VMSA_2017_0006.NASL description The version of VMware Fusion installed on the remote macOS or Mac OS X host is 8.x prior to 8.5.6. It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists due to improper validation of certain input. An attacker on the guest can exploit this to cause a denial of service condition or the execution of arbitrary code on the host. (CVE-2017-4902) - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905) last seen 2020-06-01 modified 2020-06-02 plugin id 99103 published 2017-03-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99103 title VMware Fusion 8.x < 8.5.6 Multiple Vulnerabilities (VMSA-2017-0006) (macOS) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99103); script_version("1.6"); script_cvs_date("Date: 2019/11/13"); script_cve_id( "CVE-2017-4902", "CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905" ); script_bugtraq_id( 97160, 97163, 97164, 97165 ); script_xref(name:"VMSA", value:"2017-0006"); script_name(english:"VMware Fusion 8.x < 8.5.6 Multiple Vulnerabilities (VMSA-2017-0006) (macOS)"); script_summary(english:"Checks the VMware Fusion version."); script_set_attribute(attribute:"synopsis", value: "A virtualization application installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of VMware Fusion installed on the remote macOS or Mac OS X host is 8.x prior to 8.5.6. It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists due to improper validation of certain input. An attacker on the guest can exploit this to cause a denial of service condition or the execution of arbitrary code on the host. (CVE-2017-4902) - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905)"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0006.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Fusion version 8.5.6 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4904"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/30"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:fusion"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_fusion_detect.nasl"); script_require_keys("Host/local_checks_enabled", "installed_sw/VMware Fusion", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("install_func.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); get_kb_item_or_exit("Host/local_checks_enabled"); os = get_kb_item("Host/MacOSX/Version"); if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); install = get_single_install(app_name:"VMware Fusion", exit_if_unknown_ver:TRUE); version = install['version']; path = install['path']; fix = ''; if (version =~ "^8\.") fix = '8.5.6'; if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { report += '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_HOLE); } else audit(AUDIT_INST_PATH_NOT_VULN, "VMware Fusion", version, path);
NASL family General NASL id VMWARE_WORKSTATION_LINUX_VMSA_2017_0006.NASL description The version of VMware Workstation installed on the remote Linux host is 12.x prior to 12.5.5. It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists due to improper validation of certain input. An attacker on the guest can exploit this to cause a denial of service condition or the execution of arbitrary code on the host. (CVE-2017-4902) - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905) last seen 2020-06-01 modified 2020-06-02 plugin id 99104 published 2017-03-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99104 title VMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006) (Linux) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99104); script_version("1.6"); script_cvs_date("Date: 2019/11/13"); script_cve_id( "CVE-2017-4902", "CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905" ); script_bugtraq_id( 97160, 97163, 97164, 97165 ); script_xref(name:"VMSA", value:"2017-0006"); script_name(english:"VMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006) (Linux)"); script_summary(english:"Checks the VMware Workstation version."); script_set_attribute(attribute:"synopsis", value: "A virtualization application installed on the remote Linux host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of VMware Workstation installed on the remote Linux host is 12.x prior to 12.5.5. It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists due to improper validation of certain input. An attacker on the guest can exploit this to cause a denial of service condition or the execution of arbitrary code on the host. (CVE-2017-4902) - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905)"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0006.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Workstation version 12.5.5 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4904"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/30"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"General"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_workstation_linux_installed.nbin"); script_require_keys("Host/VMware Workstation/Version", "Settings/ParanoidReport"); script_exclude_keys("SMB/Registry/Enumerated"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); if (get_kb_item("SMB/Registry/Enumerated")) audit(AUDIT_OS_NOT, "Linux", "Windows"); version = get_kb_item_or_exit("Host/VMware Workstation/Version"); fix = ''; if (version =~ "^12\.") fix = '12.5.5'; if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { report += '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_HOLE); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware Workstation", version);
NASL family Windows NASL id VMWARE_WORKSTATION_WIN_VMSA_2017_0006.NASL description The version of VMware Workstation installed on the remote Windows host is 12.x prior to 12.5.5. It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists due to improper validation of certain input. An attacker on the guest can exploit this to cause a denial of service condition or the execution of arbitrary code on the host. (CVE-2017-4902) - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905) last seen 2020-06-01 modified 2020-06-02 plugin id 99105 published 2017-03-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99105 title VMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99105); script_version("1.6"); script_cvs_date("Date: 2019/11/13"); script_cve_id( "CVE-2017-4902", "CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905" ); script_bugtraq_id( 97160, 97163, 97164, 97165 ); script_xref(name:"VMSA", value:"2017-0006"); script_name(english:"VMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006)"); script_summary(english:"Checks the VMware Workstation version."); script_set_attribute(attribute:"synopsis", value: "A virtualization application installed on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of VMware Workstation installed on the remote Windows host is 12.x prior to 12.5.5. It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists due to improper validation of certain input. An attacker on the guest can exploit this to cause a denial of service condition or the execution of arbitrary code on the host. (CVE-2017-4902) - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905)"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0006.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Workstation version 12.5.5 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4904"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/30"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_workstation_detect.nasl"); script_require_keys("SMB/Registry/Enumerated", "installed_sw/VMware Workstation", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("install_func.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); get_kb_item_or_exit("SMB/Registry/Enumerated"); appname = 'VMware Workstation'; install = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE); version = install['version']; path = install['path']; fix = ''; if (version =~ "^12\.") fix = "12.5.5"; if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { port = get_kb_item("SMB/transport"); if (!port) port = 445; report = '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); } else audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2017-0006.NASL description a. ESXi, Workstation, Fusion SVGA memory corruption ESXi, Workstation, Fusion have a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host. VMware would like to thank ZDI and Team 360 Security from Qihoo for reporting these issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4902 (heap issue) and CVE-2017-4903 (stack issue) to these issues. Note: ESXi 6.0 is affected by CVE-2017-4903 but not by CVE-2017-4902. b. ESXi, Workstation, Fusion XHCI uninitialized memory usage The ESXi, Workstation, and Fusion XHCI controller has uninitialized memory usage. This issue may allow a guest to execute code on the host. The issue is reduced to a Denial of Service of the guest on ESXi 5.5. VMware would like to thank ZDI and Team Sniper from Tencent Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4904 to this issue. c. ESXi, Workstation, Fusion uninitialized memory usage ESXi, Workstation, and Fusion have uninitialized memory usage. This issue may lead to an information leak. VMware would like to thank ZDI and Team Sniper from Tencent Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4905 to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 99102 published 2017-03-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99102 title VMSA-2017-0006 : VMware ESXi, Workstation and Fusion updates address critical and moderate security issues code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2017-0006. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(99102); script_version("3.18"); script_cvs_date("Date: 2019/09/26 15:14:18"); script_cve_id("CVE-2017-4902", "CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905"); script_xref(name:"VMSA", value:"2017-0006"); script_name(english:"VMSA-2017-0006 : VMware ESXi, Workstation and Fusion updates address critical and moderate security issues"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESXi host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. ESXi, Workstation, Fusion SVGA memory corruption ESXi, Workstation, Fusion have a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host. VMware would like to thank ZDI and Team 360 Security from Qihoo for reporting these issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4902 (heap issue) and CVE-2017-4903 (stack issue) to these issues. Note: ESXi 6.0 is affected by CVE-2017-4903 but not by CVE-2017-4902. b. ESXi, Workstation, Fusion XHCI uninitialized memory usage The ESXi, Workstation, and Fusion XHCI controller has uninitialized memory usage. This issue may allow a guest to execute code on the host. The issue is reduced to a Denial of Service of the guest on ESXi 5.5. VMware would like to thank ZDI and Team Sniper from Tencent Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4904 to this issue. c. ESXi, Workstation, Fusion uninitialized memory usage ESXi, Workstation, and Fusion have uninitialized memory usage. This issue may lead to an information leak. VMware would like to thank ZDI and Team Sniper from Tencent Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4905 to this issue." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2017/000373.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.5"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2017-03-28"); flag = 0; if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-base:6.0.0-3.58.5224934")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsan:6.0.0-3.58.5224737")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsanhealth:6.0.0-3000000.3.0.3.58.5224738")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-base:6.5.0-0.15.5224529")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsan:6.5.0-0.15.5224529")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsanhealth:6.5.0-0.15.5224529")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Misc. NASL id VMWARE_ESXI_6_0_BUILD_5251621_REMOTE.NASL description The version of the remote VMware ESXi 6.0 host is 6.0 U1 prior to build 5251621, 6.0 U2 prior to build 5251623, or 6.0 U3 prior to build 5224934. It is, therefore, affected by multiple vulnerabilities : - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905) last seen 2020-06-01 modified 2020-06-02 plugin id 99130 published 2017-03-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99130 title ESXi 6.0 U1 < Build 5251621 / 6.0 U2 < Build 5251623 / 6.0 U3 < Build 5224934 Multiple Vulnerabilities (VMSA-2017-0006) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99130); script_version("1.8"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905"); script_bugtraq_id(97160, 97164, 97165); script_xref(name:"VMSA", value:"2017-0006"); script_name(english:"ESXi 6.0 U1 < Build 5251621 / 6.0 U2 < Build 5251623 / 6.0 U3 < Build 5224934 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)"); script_summary(english:"Checks the ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi 6.0 host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of the remote VMware ESXi 6.0 host is 6.0 U1 prior to build 5251621, 6.0 U2 prior to build 5251623, or 6.0 U3 prior to build 5224934. It is, therefore, affected by multiple vulnerabilities : - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905)"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0006.html"); # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2149672 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?29e8975b"); # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2149673 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0ac633b1"); script_set_attribute(attribute:"solution", value: "Apply patch ESXi600-201703401-SG, ESXi600-201703002, or ESXi600-201703003 according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4904"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/31"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi"); if ("VMware ESXi 6.0" >!< rel) audit(AUDIT_OS_NOT, "ESXi 6.0"); match = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, "VMware ESXi", "6.0"); build = int(match[1]); vuln = FALSE; # 6.0 U1 Builds # KB 2149672 u1_builds = make_list(3029758, 3073146, 3247720, 3380124, 3568940); foreach u1_build (u1_builds) { if (build == u1_build) { vuln = TRUE; fixed_build = 5251621; } } # 6.0 U2 Builds # KB 2149673 u1_builds = make_list(3620759, 3825889, 4192238, 4510822, 4600944); foreach u1_build (u1_builds) { if (build == u1_build) { vuln = TRUE; fixed_build = 5251623; } } # 6.0 U3 # KB 2143832 lists 5050593 as the build for 6.0 U3 released on 2/24/17 if (!vuln) { if (build >= 5050593 && build < 5224934) { vuln = TRUE; fixed_build = 5224934; } } if (vuln) { report = '\n ESXi version : ' + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware ESXi", ver - "ESXi " + " build " + build);
NASL family Misc. NASL id VMWARE_ESXI_6_5_BUILD_5224529_REMOTE.NASL description The version of the remote VMware ESXi 6.5 host is prior to build 5224529. It is, therefore, affected by multiple vulnerabilities : - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905) last seen 2020-06-01 modified 2020-06-02 plugin id 99131 published 2017-03-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99131 title ESXi 6.5 < Build 5224529 Multiple Vulnerabilities (VMSA-2017-0006) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99131); script_version("1.8"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905"); script_bugtraq_id(97160, 97164, 97165); script_xref(name:"VMSA", value:"2017-0006"); script_name(english:"ESXi 6.5 < Build 5224529 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)"); script_summary(english:"Checks the ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi 6.5 host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of the remote VMware ESXi 6.5 host is prior to build 5224529. It is, therefore, affected by multiple vulnerabilities : - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905)"); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0006.html"); script_set_attribute(attribute:"solution", value: "Apply patch ESXi650-201703410-SG according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4904"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/31"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:vmware:esxi:6.5"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi"); if ("VMware ESXi 6.5" >!< rel) audit(AUDIT_OS_NOT, "ESXi 6.5"); match = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, "VMware ESXi", "6.5"); build = int(match[1]); fixed_build = 5224529; if (build < fixed_build) { report = '\n ESXi version : ' + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(port:0, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware ESXi", ver - "ESXi " + " build " + build);
References
- http://www.securityfocus.com/bid/97160
- http://www.securityfocus.com/bid/97160
- http://www.securitytracker.com/id/1038148
- http://www.securitytracker.com/id/1038148
- http://www.securitytracker.com/id/1038149
- http://www.securitytracker.com/id/1038149
- http://www.vmware.com/security/advisories/VMSA-2017-0006.html
- http://www.vmware.com/security/advisories/VMSA-2017-0006.html