Vulnerabilities > CVE-2018-6971 - Information Exposure Through Log Files vulnerability in VMWare Horizon View Agents

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
vmware
CWE-532
nessus

Summary

VMware Horizon View Agents (7.x.x before 7.5.1) contain a local information disclosure vulnerability due to insecure logging of credentials in the vmmsi.log file when an account other than the currently logged on user is specified during installation (including silent installations). Successful exploitation of this issue may allow low privileged users access to the credentials specified during the Horizon View Agent installation.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fuzzing and observing application log data/errors for application mapping
    An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Nessus

  • NASL familyWindows
    NASL idVMWARE_HORIZON_VIEW_AGENT_VMSA-2018-0018.NASL
    descriptionThe VMware Horizon View Agent installed on the remote host is 7.x prior to 7.5.1. It is, therefore, affected by a local information disclosure vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id111386
    published2018-07-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111386
    titleVMware Horizon View Agent 7.x < 7.5.1 Local Information Disclosure Vulnerability (VMSA-2018-0018)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111386);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/10");
    
      script_cve_id("CVE-2018-6971");
      script_xref(name:"VMSA", value:"2018-0018");
    
      script_name(english:"VMware Horizon View Agent 7.x < 7.5.1 Local Information Disclosure Vulnerability (VMSA-2018-0018)");
      script_summary(english:"Checks VMware View Agent version");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host has a virtual desktop agent installed that is
    affected by an information disclosure vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The VMware Horizon View Agent installed on the remote host is 7.x
    prior to 7.5.1. It is, therefore, affected by a local information
    disclosure vulnerability.");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2018-0018.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to VMware Horizon View Agent 7.5.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6971");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/27");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:horizon_view_agent");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_view_agent_detect.nasl");
      script_require_keys("installed_sw/VMware View Agent");
    
      exit(0);
    }
    
    include("vcf.inc");
    
    app = "VMware View Agent";
    
    app_info = vcf::get_app_info(app:app, win_local:TRUE);
    
    constraints = [{ "min_version": "7.0.0", "fixed_version" : "7.5.1" }];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);
    
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2018-0018.NASL
    descriptiona. VMware Horizon View Agent local information disclosure vulnerability VMware Horizon View Agents contain a local information disclosure vulnerability due to insecure logging of credentials in the vmmsi.log file when an account other than the currently logged on user is specified during installation (including silent installations). Successful exploitation of this issue may allow low privileged users access to the credentials specified during the Horizon View Agent installation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6971 to this issue. b. ESXi, Workstation, and Fusion denial-of-service vulnerability VMware ESXi, Workstation, and Fusion contain a denial-of-service vulnerability due to NULL pointer dereference issue in RPC handler. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. VMware would like to thank Hahna Latonick and Kevin Fujimoto working with Trend Micro
    last seen2020-06-01
    modified2020-06-02
    plugin id111350
    published2018-07-26
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111350
    titleVMSA-2018-0018 : VMware Horizon View Agent, VMware ESXi, Workstation, and Fusion updates resolve multiple security issues
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from VMware Security Advisory 2018-0018. 
    # The text itself is copyright (C) VMware Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111350);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/10");
    
      script_cve_id("CVE-2018-6971", "CVE-2018-6972");
      script_xref(name:"VMSA", value:"2018-0018");
    
      script_name(english:"VMSA-2018-0018 : VMware Horizon View Agent, VMware ESXi, Workstation, and Fusion updates resolve multiple security issues");
      script_summary(english:"Checks esxupdate output for the patches");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote VMware ESXi host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "a. VMware Horizon View Agent local information disclosure vulnerability
    
    VMware Horizon View Agents contain a local information disclosure 
    vulnerability due to insecure logging of credentials in the
    vmmsi.log file when an account other than the currently logged on
    user is specified during installation (including silent
    installations). Successful exploitation of this issue may allow low
    privileged users access to the credentials specified during the
    Horizon View Agent installation.
    
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the identifier CVE-2018-6971 to this issue.
    
    b. ESXi, Workstation, and Fusion denial-of-service vulnerability
    
    VMware ESXi, Workstation, and Fusion contain a denial-of-service 
    vulnerability due to NULL pointer dereference issue in RPC handler. 
    Successful exploitation of this issue may allow attackers with 
    normal user privileges to crash their VMs.
    
    VMware would like to thank Hahna Latonick and Kevin Fujimoto working 
    with Trend Micro's Zero Day Initiative for reporting this issue to 
    us.
    
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the identifier CVE-2018-6972 to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.vmware.com/pipermail/security-announce/2018/000423.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.7");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/26");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"VMware ESX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
      script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("vmware_esx_packages.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
    if (
      !get_kb_item("Host/VMware/esxcli_software_vibs") &&
      !get_kb_item("Host/VMware/esxupdate")
    ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    init_esx_check(date:"2018-07-19");
    flag = 0;
    
    
    if (esx_check(ver:"ESXi 5.5", vib:"VMware:esx-base:5.5.0-3.117.8934887")) flag++;
    
    if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-base:6.0.0-3.87.8934903")) flag++;
    if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsan:6.0.0-3.87.8155259")) flag++;
    if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsanhealth:6.0.0-3000000.3.0.3.87.8155260")) flag++;
    
    if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-base:6.5.0-2.54.8935087")) flag++;
    if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-tboot:6.5.0-2.54.8935087")) flag++;
    if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsan:6.5.0-2.54.8359236")) flag++;
    if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsanhealth:6.5.0-2.54.8359237")) flag++;
    
    if (esx_check(ver:"ESXi 6.7", vib:"VMware:esx-base:6.7.0-0.14.8941472")) flag++;
    if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsan:6.7.0-0.14.8941472")) flag++;
    if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsanhealth:6.7.0-0.14.8941472")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:esx_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");