Vulnerabilities > CVE-2018-6971 - Information Exposure Through Log Files vulnerability in VMWare Horizon View Agents

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
local
low complexity
vmware
CWE-532
nessus
NVD
Published: 2018-07-25
Updated: 2019-10-03

Summary

VMware Horizon View Agents (7.x.x before 7.5.1) contain a local information disclosure vulnerability due to insecure logging of credentials in the vmmsi.log file when an account other than the currently logged on user is specified during installation (including silent installations). Successful exploitation of this issue may allow low privileged users access to the credentials specified during the Horizon View Agent installation.

Vulnerable Configurations

Part Description Count
Application
Vmware
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fuzzing and observing application log data/errors for application mapping
    An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Nessus

  • NASL familyWindows
    NASL idVMWARE_HORIZON_VIEW_AGENT_VMSA-2018-0018.NASL
    descriptionThe VMware Horizon View Agent installed on the remote host is 7.x prior to 7.5.1. It is, therefore, affected by a local information disclosure vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id111386
    published2018-07-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111386
    titleVMware Horizon View Agent 7.x < 7.5.1 Local Information Disclosure Vulnerability (VMSA-2018-0018)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(111386);
  script_version("1.3");
  script_cvs_date("Date: 2020/01/10");

  script_cve_id("CVE-2018-6971");
  script_xref(name:"VMSA", value:"2018-0018");

  script_name(english:"VMware Horizon View Agent 7.x < 7.5.1 Local Information Disclosure Vulnerability (VMSA-2018-0018)");
  script_summary(english:"Checks VMware View Agent version");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a virtual desktop agent installed that is
affected by an information disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"The VMware Horizon View Agent installed on the remote host is 7.x
prior to 7.5.1. It is, therefore, affected by a local information
disclosure vulnerability.");
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2018-0018.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to VMware Horizon View Agent 7.5.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6971");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:horizon_view_agent");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("vmware_view_agent_detect.nasl");
  script_require_keys("installed_sw/VMware View Agent");

  exit(0);
}

include("vcf.inc");

app = "VMware View Agent";

app_info = vcf::get_app_info(app:app, win_local:TRUE);

constraints = [{ "min_version": "7.0.0", "fixed_version" : "7.5.1" }];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2018-0018.NASL
    descriptiona. VMware Horizon View Agent local information disclosure vulnerability VMware Horizon View Agents contain a local information disclosure vulnerability due to insecure logging of credentials in the vmmsi.log file when an account other than the currently logged on user is specified during installation (including silent installations). Successful exploitation of this issue may allow low privileged users access to the credentials specified during the Horizon View Agent installation. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6971 to this issue. b. ESXi, Workstation, and Fusion denial-of-service vulnerability VMware ESXi, Workstation, and Fusion contain a denial-of-service vulnerability due to NULL pointer dereference issue in RPC handler. Successful exploitation of this issue may allow attackers with normal user privileges to crash their VMs. VMware would like to thank Hahna Latonick and Kevin Fujimoto working with Trend Micro
    last seen2020-06-01
    modified2020-06-02
    plugin id111350
    published2018-07-26
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111350
    titleVMSA-2018-0018 : VMware Horizon View Agent, VMware ESXi, Workstation, and Fusion updates resolve multiple security issues
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from VMware Security Advisory 2018-0018. 
# The text itself is copyright (C) VMware Inc.
#

include("compat.inc");

if (description)
{
  script_id(111350);
  script_version("1.5");
  script_cvs_date("Date: 2020/01/10");

  script_cve_id("CVE-2018-6971", "CVE-2018-6972");
  script_xref(name:"VMSA", value:"2018-0018");

  script_name(english:"VMSA-2018-0018 : VMware Horizon View Agent, VMware ESXi, Workstation, and Fusion updates resolve multiple security issues");
  script_summary(english:"Checks esxupdate output for the patches");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote VMware ESXi host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"a. VMware Horizon View Agent local information disclosure vulnerability

VMware Horizon View Agents contain a local information disclosure 
vulnerability due to insecure logging of credentials in the
vmmsi.log file when an account other than the currently logged on
user is specified during installation (including silent
installations). Successful exploitation of this issue may allow low
privileged users access to the credentials specified during the
Horizon View Agent installation.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2018-6971 to this issue.

b. ESXi, Workstation, and Fusion denial-of-service vulnerability

VMware ESXi, Workstation, and Fusion contain a denial-of-service 
vulnerability due to NULL pointer dereference issue in RPC handler. 
Successful exploitation of this issue may allow attackers with 
normal user privileges to crash their VMs.

VMware would like to thank Hahna Latonick and Kevin Fujimoto working 
with Trend Micro's Zero Day Initiative for reporting this issue to 
us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2018-6972 to this issue."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://lists.vmware.com/pipermail/security-announce/2018/000423.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.7");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/26");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"VMware ESX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
  script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");

  exit(0);
}


include("audit.inc");
include("vmware_esx_packages.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
if (
  !get_kb_item("Host/VMware/esxcli_software_vibs") &&
  !get_kb_item("Host/VMware/esxupdate")
) audit(AUDIT_PACKAGE_LIST_MISSING);


init_esx_check(date:"2018-07-19");
flag = 0;


if (esx_check(ver:"ESXi 5.5", vib:"VMware:esx-base:5.5.0-3.117.8934887")) flag++;

if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-base:6.0.0-3.87.8934903")) flag++;
if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsan:6.0.0-3.87.8155259")) flag++;
if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsanhealth:6.0.0-3000000.3.0.3.87.8155260")) flag++;

if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-base:6.5.0-2.54.8935087")) flag++;
if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-tboot:6.5.0-2.54.8935087")) flag++;
if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsan:6.5.0-2.54.8359236")) flag++;
if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsanhealth:6.5.0-2.54.8359237")) flag++;

if (esx_check(ver:"ESXi 6.7", vib:"VMware:esx-base:6.7.0-0.14.8941472")) flag++;
if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsan:6.7.0-0.14.8941472")) flag++;
if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsanhealth:6.7.0-0.14.8941472")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:esx_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

References