Vulnerabilities > CVE-2019-5531 - Insufficient Session Expiration vulnerability in VMWare Esxi, Vcenter Server and Vsphere Esxi
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
VMware vSphere ESXi (6.7 prior to ESXi670-201810101-SG, 6.5 prior to ESXi650-201811102-SG, and 6.0 prior to ESXi600-201807103-SG) and VMware vCenter Server (6.7 prior to 6.7 U1b, 6.5 prior to 6.5 U2b, and 6.0 prior to 6.0 U3j) contain an information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 22 | |
| Application | 46 |
Common Weakness Enumeration (CWE)
Nessus
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2019-0013.NASL description a. VMware ESXi busybox command injection vulnerability ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file. b. ESXi Host Client information disclosure vulnerability An information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a users browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out. last seen 2020-06-01 modified 2020-06-02 plugin id 128994 published 2019-09-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128994 title VMSA-2019-0013 : Command injection and information disclosure vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2019-0013. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(128994); script_version("1.4"); script_cvs_date("Date: 2019/12/27"); script_cve_id("CVE-2017-16544", "CVE-2019-5531"); script_xref(name:"VMSA", value:"2019-0013"); script_xref(name:"IAVA", value:"2019-A-0344"); script_name(english:"VMSA-2019-0013 : Command injection and information disclosure vulnerabilities"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESXi host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. VMware ESXi busybox command injection vulnerability ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file. b. ESXi Host Client information disclosure vulnerability An information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a users browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2019/000467.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.7"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2019-09-16"); flag = 0; if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-base:6.0.0-3.125.14475122")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-ui:1.30.0-9063842")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsan:6.0.0-3.125.14292904")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsanhealth:6.0.0-3000000.3.0.3.125.14292905")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-base:6.5.0-3.96.13932383")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-tboot:6.5.0-3.96.13932383")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-ui:1.31.0-10201673")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsan:6.5.0-3.96.13371499")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsanhealth:6.5.0-3.96.13530496")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:esx-base:6.7.0-0.28.10176879")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:esx-base:6.7.0-1.44.12986307")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:esx-update:6.7.0-1.44.12986307")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsan:6.7.0-0.28.10176879")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsan:6.7.0-1.44.11399678")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsanhealth:6.7.0-0.28.10176879")) flag++; if (esx_check(ver:"ESXi 6.7", vib:"VMware:vsanhealth:6.7.0-1.44.11399680")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:esx_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Misc. NASL id VMWARE_ESXI_VMSA-2019-0013.NASL description The remote VMware ESXi host is version 6.0, 6.5 or 6.7 and is affected the following vulnerabilities: - A remote code execution vulnerability caused by a failure to sanitize filenames in the tab autocomplete feature of BusyBox. This allows an attacker to execute arbitrary code, write arbitrary files, or conduct other attacks. (CVE-2017-16544) - An information disclosure vulnerability caused by insufficient session expiration. This allows an attacker with physical access or the ability to mimic a websocket connection to a user last seen 2020-06-01 modified 2020-06-02 plugin id 129493 published 2019-10-02 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129493 title ESXi 6.0 / 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0013) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(129493); script_version("1.2"); script_cvs_date("Date: 2019/10/17 14:31:04"); script_cve_id("CVE-2017-16544", "CVE-2019-5531"); script_bugtraq_id(93287); script_xref(name:"VMSA", value:"2019-0013"); script_xref(name:"IAVA", value:"2019-A-0344"); script_name(english:"ESXi 6.0 / 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0013)"); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESXi host is missing a security patch and is affected by multiple vulnerabilities"); script_set_attribute(attribute:"description", value: "The remote VMware ESXi host is version 6.0, 6.5 or 6.7 and is affected the following vulnerabilities: - A remote code execution vulnerability caused by a failure to sanitize filenames in the tab autocomplete feature of BusyBox. This allows an attacker to execute arbitrary code, write arbitrary files, or conduct other attacks. (CVE-2017-16544) - An information disclosure vulnerability caused by insufficient session expiration. This allows an attacker with physical access or the ability to mimic a websocket connection to a user's browser to control a VM console after the user's session has expired or they have logged out. (CVE-2019-5531) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2019-0013.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch as referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-16544"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/02"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release", "Settings/ParanoidReport"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); if (report_paranoia < 2) audit(AUDIT_PARANOID); fixes = make_array( '6.0', '14513180', '6.5', '13873656', '6.7', '12986307' ); rel = get_kb_item_or_exit('Host/VMware/release'); if ('ESXi' >!< rel) audit(AUDIT_OS_NOT, 'ESXi'); ver = get_kb_item_or_exit('Host/VMware/version'); match = pregmatch(pattern:'^ESXi? ([0-9]+\\.[0-9]+).*$', string:ver); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.0 / 6.5 / 6.7'); ver = match[1]; if (ver !~ '^6\\.(0|5|7)$') audit(AUDIT_OS_NOT, 'ESXi 6.0 / 6.5 / 6.7'); fixed_build = int(fixes[ver]); if (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver); match = pregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel); if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.0 / 6.5 / 6.7'); build = int(match[1]); if (build >= fixed_build) audit(AUDIT_INST_VER_NOT_VULN, 'VMware ESXi', ver + ' build ' + build); report = '\n ESXi version : ' + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fixed_build + '\n'; security_report_v4(port:0, severity:SECURITY_WARNING, extra:report);NASL family Misc. NASL id VMWARE_VCENTER_VMSA-2019-0013.NASL description The version of VMware vCenter Server installed on the remote host is 6.0 prior to U3j, 6.5 prior to U3, or 6.7 prior to U3, and is, therefore, affected by the following vulnerabilities: - An information disclosure vulnerability caused by insufficient session expiration. This allows an attacker with physical access or the ability to mimic a websocket connection to a user last seen 2020-06-01 modified 2020-06-02 plugin id 129503 published 2019-10-02 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129503 title VMware vCenter Server 6.0 / 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0013) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(129503); script_version("1.4"); script_cvs_date("Date: 2019/10/31 15:18:51"); script_cve_id("CVE-2019-5531", "CVE-2019-5532", "CVE-2019-5534"); script_xref(name:"VMSA", value:"2019-0013"); script_xref(name:"IAVA", value:"2019-A-0344"); script_name(english:"VMware vCenter Server 6.0 / 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0013)"); script_set_attribute(attribute:"synopsis", value: "A virtualization management application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of VMware vCenter Server installed on the remote host is 6.0 prior to U3j, 6.5 prior to U3, or 6.7 prior to U3, and is, therefore, affected by the following vulnerabilities: - An information disclosure vulnerability caused by insufficient session expiration. This allows an attacker with physical access or the ability to mimic a websocket connection to a user's browser to control a VM console after the user's session has expired or they have logged out. (CVE-2019-5531) - An information disclosure vulnerability caused by plain-text logging of virtual machine credentials through OVF. This allows an attacker with access to the log files which contain the vCenter OVF-properties of a virtual machine deployed from an OVF to view the credentials used to deploy the OVF, which typically belong to the root account of the virtual machine. (CVE-2019-5532) - An information disclosure vulnerability in virtual machines deployed from an OVF which could expose login information via the virtual machine's vAppConfig properties. An attacker with access to query the vAppConfig properties of a virtual machine deployed from an OVF can view the credentials used to deploy the OVC, which typically belong to the root account of the virtual machine. (CVE-2019-5534) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2019-0013.html"); script_set_attribute(attribute:"solution", value: "Upgrade to VMware vCenter Server 6.0 U3j, 6.5 U3, or 6.7 U3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5531"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/18"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/02"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:vcenter_server"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("vmware_vcenter_detect.nbin"); script_require_keys("Host/VMware/vCenter", "Host/VMware/version", "Host/VMware/release"); script_require_ports("Services/www", 80, 443); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); port = get_kb_item_or_exit('Host/VMware/vCenter'); version = get_kb_item_or_exit('Host/VMware/version'); release = get_kb_item_or_exit('Host/VMware/release'); # Extract and verify the build number build = ereg_replace(pattern:'^VMware vCenter Server [0-9\\.]+ build-([0-9]+)$', string:release, replace:"\1"); if (build !~ '^[0-9]+$') exit(1, 'Failed to extract the build number from the release string.'); release = release - 'VMware vCenter Server '; fixversion = NULL; # Check version and build numbers # 6.0 U3j https://docs.vmware.com/en/VMware-vSphere/6.0/rn/vsphere-vcenter-server-60u3j-release-notes.html if(version =~ '^VMWare vCenter 6\\.0$' && int(build) < 14510545) fixversion = '6.0.0 build-14510545'; # 6.5 U3 https://docs.vmware.com/en/VMware-vSphere/6.5/rn/vsphere-vcenter-server-65u3-release-notes.html else if(version =~ '^VMWare vCenter 6\\.5$' && int(build) < 14020092) fixversion = '6.5.0 build-14020092'; # 6.7 U3 https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3-release-notes.html else if(version =~ '^VMWare vCenter 6\\.7$' && int(build) < 14367737) fixversion = '6.7.0 build-14367737'; else audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release); report = report_items_str( report_items:make_array( 'Installed version', release, 'Fixed version', fixversion ), ordered_fields:make_list('Installed version', 'Fixed version') ); security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);