Vulnerabilities > CVE-2017-4904 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in VMWare products

047910
CVSS 8.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
vmware
CWE-119
nessus

Summary

The XHCI controller in VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi600-201703403-SG, 6.0 U1 without patch ESXi600-201703402-SG, and 5.5 without patch ESXi550-201703401-SG; Workstation Pro / Player 12.x prior to 12.5.5; and Fusion Pro / Fusion 8.x prior to 8.5.6 has uninitialized memory usage. This issue may allow a guest to execute code on the host. The issue is reduced to a Denial of Service of the guest on ESXi 5.5.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FUSION_VMSA_2017_0006.NASL
    descriptionThe version of VMware Fusion installed on the remote macOS or Mac OS X host is 8.x prior to 8.5.6. It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists due to improper validation of certain input. An attacker on the guest can exploit this to cause a denial of service condition or the execution of arbitrary code on the host. (CVE-2017-4902) - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905)
    last seen2020-06-01
    modified2020-06-02
    plugin id99103
    published2017-03-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99103
    titleVMware Fusion 8.x < 8.5.6 Multiple Vulnerabilities (VMSA-2017-0006) (macOS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99103);
      script_version("1.6");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2017-4902",
        "CVE-2017-4903",
        "CVE-2017-4904",
        "CVE-2017-4905"
      );
      script_bugtraq_id(
        97160,
        97163,
        97164,
        97165
      );
      script_xref(name:"VMSA", value:"2017-0006");
    
      script_name(english:"VMware Fusion 8.x < 8.5.6 Multiple Vulnerabilities (VMSA-2017-0006) (macOS)");
      script_summary(english:"Checks the VMware Fusion version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A virtualization application installed on the remote macOS or Mac OS X
    host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of VMware Fusion installed on the remote macOS or Mac OS X
    host is 8.x prior to 8.5.6. It is, therefore, affected by multiple
    vulnerabilities :
    
      - A heap buffer overflow condition exists due to improper
        validation of certain input. An attacker on the guest
        can exploit this to cause a denial of service condition
        or the execution of arbitrary code on the host.
        (CVE-2017-4902)
    
      - A stack memory initialization flaw exists that allows an
        attacker on the guest to execute arbitrary code on the
        host. (CVE-2017-4903)
    
      - An unspecified flaw exists in memory initialization that
        allows an attacker on the guest to execute arbitrary
        code on the host. (CVE-2017-4904)
    
      - An unspecified flaw exists in memory initialization that
        allows the disclosure of sensitive information.
        (CVE-2017-4905)");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0006.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to VMware Fusion version 8.5.6 or later.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4904");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/30");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:fusion");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_fusion_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "installed_sw/VMware Fusion", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("install_func.inc");
    include("misc_func.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    get_kb_item_or_exit("Host/local_checks_enabled");
    
    os = get_kb_item("Host/MacOSX/Version");
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    install = get_single_install(app_name:"VMware Fusion", exit_if_unknown_ver:TRUE);
    version = install['version'];
    path = install['path'];
    
    fix = '';
    if (version =~ "^8\.") fix = '8.5.6';
    
    if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
    {
      report +=
        '\n  Path              : ' + path +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix +
        '\n';
      security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, "VMware Fusion", version, path);
    
  • NASL familyGeneral
    NASL idVMWARE_WORKSTATION_LINUX_VMSA_2017_0006.NASL
    descriptionThe version of VMware Workstation installed on the remote Linux host is 12.x prior to 12.5.5. It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists due to improper validation of certain input. An attacker on the guest can exploit this to cause a denial of service condition or the execution of arbitrary code on the host. (CVE-2017-4902) - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905)
    last seen2020-06-01
    modified2020-06-02
    plugin id99104
    published2017-03-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99104
    titleVMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006) (Linux)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99104);
      script_version("1.6");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2017-4902",
        "CVE-2017-4903",
        "CVE-2017-4904",
        "CVE-2017-4905"
      );
      script_bugtraq_id(
        97160,
        97163,
        97164,
        97165
      );
      script_xref(name:"VMSA", value:"2017-0006");
    
      script_name(english:"VMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006) (Linux)");
      script_summary(english:"Checks the VMware Workstation version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A virtualization application installed on the remote Linux host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of VMware Workstation installed on the remote Linux host
    is 12.x prior to 12.5.5. It is, therefore, affected by multiple
    vulnerabilities :
    
      - A heap buffer overflow condition exists due to improper
        validation of certain input. An attacker on the guest
        can exploit this to cause a denial of service condition
        or the execution of arbitrary code on the host.
        (CVE-2017-4902)
    
      - A stack memory initialization flaw exists that allows an
        attacker on the guest to execute arbitrary code on the
        host. (CVE-2017-4903)
    
      - An unspecified flaw exists in memory initialization that
        allows an attacker on the guest to execute arbitrary
        code on the host. (CVE-2017-4904)
    
      - An unspecified flaw exists in memory initialization that
        allows the disclosure of sensitive information.
        (CVE-2017-4905)");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0006.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to VMware Workstation version 12.5.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4904");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/30");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"General");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_workstation_linux_installed.nbin");
      script_require_keys("Host/VMware Workstation/Version", "Settings/ParanoidReport");
      script_exclude_keys("SMB/Registry/Enumerated");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    if (get_kb_item("SMB/Registry/Enumerated")) audit(AUDIT_OS_NOT, "Linux", "Windows");
    
    version = get_kb_item_or_exit("Host/VMware Workstation/Version");
    
    fix = '';
    if (version =~ "^12\.") fix = '12.5.5';
    
    if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
    {
      report +=
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix +
        '\n';
      security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, "VMware Workstation", version);
    
  • NASL familyWindows
    NASL idVMWARE_WORKSTATION_WIN_VMSA_2017_0006.NASL
    descriptionThe version of VMware Workstation installed on the remote Windows host is 12.x prior to 12.5.5. It is, therefore, affected by multiple vulnerabilities : - A heap buffer overflow condition exists due to improper validation of certain input. An attacker on the guest can exploit this to cause a denial of service condition or the execution of arbitrary code on the host. (CVE-2017-4902) - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905)
    last seen2020-06-01
    modified2020-06-02
    plugin id99105
    published2017-03-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99105
    titleVMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99105);
      script_version("1.6");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2017-4902",
        "CVE-2017-4903",
        "CVE-2017-4904",
        "CVE-2017-4905"
      );
      script_bugtraq_id(
        97160,
        97163,
        97164,
        97165
      );
      script_xref(name:"VMSA", value:"2017-0006");
    
      script_name(english:"VMware Workstation 12.x < 12.5.5 Multiple Vulnerabilities (VMSA-2017-0006)");
      script_summary(english:"Checks the VMware Workstation version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A virtualization application installed on the remote Windows host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of VMware Workstation installed on the remote Windows host
    is 12.x prior to 12.5.5. It is, therefore, affected by multiple
    vulnerabilities :
    
      - A heap buffer overflow condition exists due to improper
        validation of certain input. An attacker on the guest
        can exploit this to cause a denial of service condition
        or the execution of arbitrary code on the host.
        (CVE-2017-4902)
    
      - A stack memory initialization flaw exists that allows an
        attacker on the guest to execute arbitrary code on the
        host. (CVE-2017-4903)
    
      - An unspecified flaw exists in memory initialization that
        allows an attacker on the guest to execute arbitrary
        code on the host. (CVE-2017-4904)
    
      - An unspecified flaw exists in memory initialization that
        allows the disclosure of sensitive information.
        (CVE-2017-4905)");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0006.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to VMware Workstation version 12.5.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4904");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/30");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_workstation_detect.nasl");
      script_require_keys("SMB/Registry/Enumerated", "installed_sw/VMware Workstation", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("install_func.inc");
    include("misc_func.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    
    appname = 'VMware Workstation';
    
    install = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);
    version = install['version'];
    path = install['path'];
    
    fix = '';
    if (version =~ "^12\.") fix = "12.5.5";
    
    if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
    {
      port = get_kb_item("SMB/transport");
      if (!port) port = 445;
    
      report =
        '\n  Path              : ' + path +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix + '\n';
      security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);
    
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2017-0006.NASL
    descriptiona. ESXi, Workstation, Fusion SVGA memory corruption ESXi, Workstation, Fusion have a heap buffer overflow and uninitialized stack memory usage in SVGA. These issues may allow a guest to execute code on the host. VMware would like to thank ZDI and Team 360 Security from Qihoo for reporting these issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2017-4902 (heap issue) and CVE-2017-4903 (stack issue) to these issues. Note: ESXi 6.0 is affected by CVE-2017-4903 but not by CVE-2017-4902. b. ESXi, Workstation, Fusion XHCI uninitialized memory usage The ESXi, Workstation, and Fusion XHCI controller has uninitialized memory usage. This issue may allow a guest to execute code on the host. The issue is reduced to a Denial of Service of the guest on ESXi 5.5. VMware would like to thank ZDI and Team Sniper from Tencent Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4904 to this issue. c. ESXi, Workstation, Fusion uninitialized memory usage ESXi, Workstation, and Fusion have uninitialized memory usage. This issue may lead to an information leak. VMware would like to thank ZDI and Team Sniper from Tencent Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4905 to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id99102
    published2017-03-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99102
    titleVMSA-2017-0006 : VMware ESXi, Workstation and Fusion updates address critical and moderate security issues
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from VMware Security Advisory 2017-0006. 
    # The text itself is copyright (C) VMware Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99102);
      script_version("3.18");
      script_cvs_date("Date: 2019/09/26 15:14:18");
    
      script_cve_id("CVE-2017-4902", "CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905");
      script_xref(name:"VMSA", value:"2017-0006");
    
      script_name(english:"VMSA-2017-0006 : VMware ESXi, Workstation and Fusion updates address critical and moderate security issues");
      script_summary(english:"Checks esxupdate output for the patches");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote VMware ESXi host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "a. ESXi, Workstation, Fusion SVGA memory corruption
    
    ESXi, Workstation, Fusion have a heap buffer overflow and
    uninitialized stack memory usage in SVGA. These issues may allow
    a guest to execute code on the host.
    
    VMware would like to thank ZDI and Team 360 Security from Qihoo for
    reporting these issues to us.
    
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the identifiers CVE-2017-4902 (heap issue) and
    CVE-2017-4903 (stack issue) to these issues.
    
    Note: ESXi 6.0 is affected by CVE-2017-4903 but not by CVE-2017-4902.
    
    b. ESXi, Workstation, Fusion XHCI uninitialized memory usage
    
    The ESXi, Workstation, and Fusion XHCI controller has uninitialized
    memory usage. This issue may allow a guest to execute code on
    the host. The issue is reduced to a Denial of Service of the guest
    on ESXi 5.5.
    
    VMware would like to thank ZDI and Team Sniper from Tencent Security
    for reporting this issue to us.
    
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the identifier CVE-2017-4904 to this issue.
    
    c. ESXi, Workstation, Fusion uninitialized memory usage
    
    ESXi, Workstation, and Fusion have uninitialized memory usage. This
    issue may lead to an information leak.
    
    VMware would like to thank ZDI and Team Sniper from Tencent Security
    for reporting this issue to us.
    
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the identifier CVE-2017-4905 to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.vmware.com/pipermail/security-announce/2017/000373.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.5");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"VMware ESX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
      script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("vmware_esx_packages.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
    if (
      !get_kb_item("Host/VMware/esxcli_software_vibs") &&
      !get_kb_item("Host/VMware/esxupdate")
    ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    init_esx_check(date:"2017-03-28");
    flag = 0;
    
    
    if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-base:6.0.0-3.58.5224934")) flag++;
    if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsan:6.0.0-3.58.5224737")) flag++;
    if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsanhealth:6.0.0-3000000.3.0.3.58.5224738")) flag++;
    
    if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-base:6.5.0-0.15.5224529")) flag++;
    if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsan:6.5.0-0.15.5224529")) flag++;
    if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsanhealth:6.5.0-0.15.5224529")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idVMWARE_ESXI_6_0_BUILD_5251621_REMOTE.NASL
    descriptionThe version of the remote VMware ESXi 6.0 host is 6.0 U1 prior to build 5251621, 6.0 U2 prior to build 5251623, or 6.0 U3 prior to build 5224934. It is, therefore, affected by multiple vulnerabilities : - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905)
    last seen2020-06-01
    modified2020-06-02
    plugin id99130
    published2017-03-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99130
    titleESXi 6.0 U1 < Build 5251621 / 6.0 U2 < Build 5251623 / 6.0 U3 < Build 5224934 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(99130);
      script_version("1.8");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id("CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905");
      script_bugtraq_id(97160, 97164, 97165);
      script_xref(name:"VMSA", value:"2017-0006");
    
      script_name(english:"ESXi 6.0 U1 < Build 5251621 / 6.0 U2 < Build 5251623 / 6.0 U3 < Build 5224934 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)");
      script_summary(english:"Checks the ESXi version and build number.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote VMware ESXi 6.0 host is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of the remote VMware ESXi 6.0 host is 6.0 U1 prior to
    build 5251621, 6.0 U2 prior to build 5251623, or 6.0 U3 prior to build
    5224934. It is, therefore, affected by multiple vulnerabilities :
    
      - A stack memory initialization flaw exists that allows an
        attacker on the guest to execute arbitrary code on the
        host. (CVE-2017-4903)
    
      - An unspecified flaw exists in memory initialization that
        allows an attacker on the guest to execute arbitrary
        code on the host. (CVE-2017-4904)
    
      - An unspecified flaw exists in memory initialization that
        allows the disclosure of sensitive information.
        (CVE-2017-4905)");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0006.html");
      # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2149672
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?29e8975b");
      # https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2149673
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0ac633b1");
      script_set_attribute(attribute:"solution", value:
    "Apply patch ESXi600-201703401-SG, ESXi600-201703002, or
    ESXi600-201703003 according to the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4904");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/31");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_vsphere_detect.nbin");
      script_require_keys("Host/VMware/version", "Host/VMware/release");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    ver = get_kb_item_or_exit("Host/VMware/version");
    rel = get_kb_item_or_exit("Host/VMware/release");
    
    if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi");
    if ("VMware ESXi 6.0" >!< rel) audit(AUDIT_OS_NOT, "ESXi 6.0");
    
    match = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);
    if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, "VMware ESXi", "6.0");
    
    build = int(match[1]);
    vuln = FALSE;
    
    # 6.0 U1 Builds
    # KB 2149672
    u1_builds = make_list(3029758, 3073146, 3247720, 3380124, 3568940);
    foreach u1_build (u1_builds)
    {
      if (build == u1_build)
      {
        vuln = TRUE;
        fixed_build = 5251621;
      }
    }
    
    # 6.0 U2 Builds
    # KB 2149673
    u1_builds = make_list(3620759, 3825889, 4192238, 4510822, 4600944);
    foreach u1_build (u1_builds)
    {
      if (build == u1_build)
      {
        vuln = TRUE;
        fixed_build = 5251623;
      }
    }
    
    # 6.0 U3
    # KB 2143832 lists 5050593 as the build for 6.0 U3 released on 2/24/17
    if (!vuln)
    {
      if (build >= 5050593 && build < 5224934)
      {
        vuln = TRUE;
        fixed_build = 5224934;
      }
    }
    
    if (vuln)
    {
      report = '\n  ESXi version    : ' + ver +
               '\n  Installed build : ' + build +
               '\n  Fixed build     : ' + fixed_build +
               '\n';
      security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
      exit(0);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, "VMware ESXi", ver - "ESXi " + " build " + build);
    
  • NASL familyMisc.
    NASL idVMWARE_ESXI_5_5_BUILD_5230635_REMOTE.NASL
    descriptionThe version of the remote VMware ESXi 5.5 host is prior to build 5230635. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905)
    last seen2020-06-01
    modified2020-06-02
    plugin id99129
    published2017-03-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99129
    titleESXi 5.5 < Build 5230635 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(99129);
      script_version("1.8");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id("CVE-2017-4904", "CVE-2017-4905");
      script_bugtraq_id(97164, 97165);
      script_xref(name:"VMSA", value:"2017-0006");
    
      script_name(english:"ESXi 5.5 < Build 5230635 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)");
      script_summary(english:"Checks the ESXi version and build number.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote VMware ESXi 5.5 host is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of the remote VMware ESXi 5.5 host is prior to build
    5230635. It is, therefore, affected by multiple vulnerabilities :
    
      - An unspecified flaw exists in memory initialization that
        allows an attacker on the guest to execute arbitrary
        code on the host. (CVE-2017-4904)
    
      - An unspecified flaw exists in memory initialization that
        allows the disclosure of sensitive information.
        (CVE-2017-4905)");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0006.html");
      script_set_attribute(attribute:"solution", value:
    "Apply patch ESXi550-201703401-SG according to the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4904");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/31");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.5");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_vsphere_detect.nbin");
      script_require_keys("Host/VMware/version", "Host/VMware/release");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    ver = get_kb_item_or_exit("Host/VMware/version");
    rel = get_kb_item_or_exit("Host/VMware/release");
    
    if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi");
    if ("VMware ESXi 5.5" >!< rel) audit(AUDIT_OS_NOT, "ESXi 5.5");
    
    match = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);
    if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, "VMware ESXi", "5.5");
    
    build = int(match[1]);
    fixed_build = 5230635;
    
    if (build < fixed_build)
    {
      report = '\n  ESXi version    : ' + ver +
               '\n  Installed build : ' + build +
               '\n  Fixed build     : ' + fixed_build +
               '\n';
      security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
      exit(0);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, "VMware ESXi", ver - "ESXi " + " build " + build);
    
  • NASL familyMisc.
    NASL idVMWARE_ESXI_6_5_BUILD_5224529_REMOTE.NASL
    descriptionThe version of the remote VMware ESXi 6.5 host is prior to build 5224529. It is, therefore, affected by multiple vulnerabilities : - A stack memory initialization flaw exists that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4903) - An unspecified flaw exists in memory initialization that allows an attacker on the guest to execute arbitrary code on the host. (CVE-2017-4904) - An unspecified flaw exists in memory initialization that allows the disclosure of sensitive information. (CVE-2017-4905)
    last seen2020-06-01
    modified2020-06-02
    plugin id99131
    published2017-03-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99131
    titleESXi 6.5 < Build 5224529 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(99131);
      script_version("1.8");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id("CVE-2017-4903", "CVE-2017-4904", "CVE-2017-4905");
      script_bugtraq_id(97160, 97164, 97165);
      script_xref(name:"VMSA", value:"2017-0006");
    
      script_name(english:"ESXi 6.5 < Build 5224529 Multiple Vulnerabilities (VMSA-2017-0006) (remote check)");
      script_summary(english:"Checks the ESXi version and build number.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote VMware ESXi 6.5 host is affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of the remote VMware ESXi 6.5 host is prior to build
    5224529. It is, therefore, affected by multiple vulnerabilities :
    
      - A stack memory initialization flaw exists that allows an
        attacker on the guest to execute arbitrary code on the
        host. (CVE-2017-4903)
    
      - An unspecified flaw exists in memory initialization that
        allows an attacker on the guest to execute arbitrary
        code on the host. (CVE-2017-4904)
    
      - An unspecified flaw exists in memory initialization that
        allows the disclosure of sensitive information.
        (CVE-2017-4905)");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0006.html");
      script_set_attribute(attribute:"solution", value:
    "Apply patch ESXi650-201703410-SG according to the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4904");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/31");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:vmware:esxi:6.5");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_vsphere_detect.nbin");
      script_require_keys("Host/VMware/version", "Host/VMware/release");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    ver = get_kb_item_or_exit("Host/VMware/version");
    rel = get_kb_item_or_exit("Host/VMware/release");
    
    if ("ESXi" >!< rel) audit(AUDIT_OS_NOT, "ESXi");
    if ("VMware ESXi 6.5" >!< rel) audit(AUDIT_OS_NOT, "ESXi 6.5");
    
    match = eregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);
    if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, "VMware ESXi", "6.5");
    
    build = int(match[1]);
    fixed_build = 5224529;
    
    if (build < fixed_build)
    {
      report = '\n  ESXi version    : ' + ver +
               '\n  Installed build : ' + build +
               '\n  Fixed build     : ' + fixed_build +
               '\n';
      security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
      exit(0);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, "VMware ESXi", ver - "ESXi " + " build " + build);