Vulnerabilities > CVE-2018-6971 - Information Exposure Through Log Files vulnerability in VMWare Horizon View Agents
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
VMware Horizon View Agents (7.x.x before 7.5.1) contain a local information disclosure vulnerability due to insecure logging of credentials in the vmmsi.log file when an account other than the currently logged on user is specified during installation (including silent installations). Successful exploitation of this issue may allow low privileged users access to the credentials specified during the Horizon View Agent installation.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Fuzzing and observing application log data/errors for application mapping An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.
Nessus
NASL family Windows NASL id VMWARE_HORIZON_VIEW_AGENT_VMSA-2018-0018.NASL description The VMware Horizon View Agent installed on the remote host is 7.x prior to 7.5.1. It is, therefore, affected by a local information disclosure vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 111386 published 2018-07-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111386 title VMware Horizon View Agent 7.x < 7.5.1 Local Information Disclosure Vulnerability (VMSA-2018-0018) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(111386); script_version("1.3"); script_cvs_date("Date: 2020/01/10"); script_cve_id("CVE-2018-6971"); script_xref(name:"VMSA", value:"2018-0018"); script_name(english:"VMware Horizon View Agent 7.x < 7.5.1 Local Information Disclosure Vulnerability (VMSA-2018-0018)"); script_summary(english:"Checks VMware View Agent version"); script_set_attribute(attribute:"synopsis", value: "The remote host has a virtual desktop agent installed that is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The VMware Horizon View Agent installed on the remote host is 7.x prior to 7.5.1. It is, therefore, affected by a local information disclosure vulnerability."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2018-0018.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware Horizon View Agent 7.5.1 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6971"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/19"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/27"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:horizon_view_agent"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_view_agent_detect.nasl"); script_require_keys("installed_sw/VMware View Agent"); exit(0); } include("vcf.inc"); app = "VMware View Agent"; app_info = vcf::get_app_info(app:app, win_local:TRUE); constraints = [{ "min_version": "7.0.0", "fixed_version" : "7.5.1" }]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2018-0018.NASL description a. VMware Horizon View Agent local information disclosure vulnerability VMware Horizon View Agents contain a local information disclosure vulnerability due to insecure logging of credentials in the vmmsi.log file when an account other than the currently logged on user is specified during installation (including silent installations). Successful exploitation of this issue may allow low privileged users access to the credentials specified during the Horizon View Agent installation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6971 to this issue. b. ESXi, Workstation, and Fusion denial-of-service vulnerability VMware ESXi, Workstation, and Fusion contain a denial-of-service vulnerability due to NULL pointer dereference issue in RPC handler. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. VMware would like to thank Hahna Latonick and Kevin Fujimoto working with Trend Micro last seen 2020-06-01 modified 2020-06-02 plugin id 111350 published 2018-07-26 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111350 title VMSA-2018-0018 : VMware Horizon View Agent, VMware ESXi, Workstation, and Fusion updates resolve multiple security issues code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2018-0018. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(111350); script_version("1.5"); script_cvs_date("Date: 2020/01/10"); script_cve_id("CVE-2018-6971", "CVE-2018-6972"); script_xref(name:"VMSA", value:"2018-0018"); script_name(english:"VMSA-2018-0018 : VMware Horizon View Agent, VMware ESXi, Workstation, and Fusion updates resolve multiple security issues"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESXi host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. VMware Horizon View Agent local information disclosure vulnerability VMware Horizon View Agents contain a local information disclosure vulnerability due to insecure logging of credentials in the vmmsi.log file when an account other than the currently logged on user is specified during installation (including silent installations). Successful exploitation of this issue may allow low privileged users access to the credentials specified during the Horizon View Agent installation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6971 to this issue. b. ESXi, Workstation, and Fusion denial-of-service vulnerability VMware ESXi, Workstation, and Fusion contain a denial-of-service vulnerability due to NULL pointer dereference issue in RPC handler. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. VMware would like to thank Hahna Latonick and Kevin Fujimoto working with Trend Micro's Zero Day Initiative for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6972 to this issue." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2018/000423.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.7"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2018-07-19"); flag = 0; if (esx_check(ver:"ESXi 5.5", vib:"VMware:esx-base:5.5.0-3.117.8934887")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-base:6.0.0-3.87.8934903")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsan:6.0.0-3.87.8155259")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsanhealth:6.0.0-3000000.3.0.3.87.8155260")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-base:6.5.0-2.54.8935087")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-tboot:6.5.0-2.54.8935087")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsan:6.5.0-2.54.8359236")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsanhealth:6.5.0-2.54.8359237")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:esx-base:6.7.0-0.14.8941472")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsan:6.7.0-0.14.8941472")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsanhealth:6.7.0-0.14.8941472")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:esx_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://www.securityfocus.com/bid/104883
- http://www.securityfocus.com/bid/104883
- http://www.securitytracker.com/id/1041357
- http://www.securitytracker.com/id/1041357
- http://www.securitytracker.com/id/1041358
- http://www.securitytracker.com/id/1041358
- https://www.vmware.com/security/advisories/VMSA-2018-0018.html
- https://www.vmware.com/security/advisories/VMSA-2018-0018.html