VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX - Nessus

High   Plugin ID: 51971

---

This page contains detailed information about the VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 51971
Name: VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
Filename: vmware_VMSA-2011-0003.nasl
Vulnerability Published: 2008-07-08
This Plugin Published: 2011-02-14
Last Modification Time: 2021-01-06
Plugin Version: 1.45
Plugin Type: local
Plugin Family: VMware ESX Local Security Checks
Dependencies: ssh_get_info.nasl
Required KB Items [?]: Host/local_checks_enabled, Host/VMware/release, Host/VMware/version

Vulnerability Information

---

Severity: High
Vulnerability Published: 2008-07-08
Patch Published: 2011-02-10
CVE [?]: CVE-2008-0085, CVE-2008-0086, CVE-2008-0106, CVE-2008-0107, CVE-2008-3825, CVE-2008-5416, CVE-2009-1384, CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2009-3548, CVE-2009-3555, CVE-2009-4308, CVE-2010-0003, CVE-2010-0007, CVE-2010-0008, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0291, CVE-2010-0307, CVE-2010-0410, CVE-2010-0415, CVE-2010-0433, CVE-2010-0437, CVE-2010-0622, CVE-2010-0730, CVE-2010-0734, CVE-2010-0740, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849, CVE-2010-0850, CVE-2010-0886, CVE-2010-1084, CVE-2010-1085, CVE-2010-1086, CVE-2010-1087, CVE-2010-1088, CVE-2010-1157, CVE-2010-1173, CVE-2010-1187, CVE-2010-1321, CVE-2010-1436, CVE-2010-1437, CVE-2010-1641, CVE-2010-2066, CVE-2010-2070, CVE-2010-2226, CVE-2010-2227, CVE-2010-2240, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524, CVE-2010-2928, CVE-2010-2939, CVE-2010-3081, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3553, CVE-2010-3554, CVE-2010-3556, CVE-2010-3557, CVE-2010-3559, CVE-2010-3561, CVE-2010-3562, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574, CVE-2010-3864
CPE [?]: cpe:/o:vmware:esxi:4.0, cpe:/o:vmware:esxi:4.1, cpe:/o:vmware:esx:4.0, cpe:/o:vmware:esx:4.1
Exploited by Malware: True

Synopsis

The remote VMware ESXi / ESX host is missing one or more security-related patches.

Description

a. vCenter Server and vCenter Update Manager update Microsoft SQL Server 2005 Express Edition to Service Pack 3

Microsoft SQL Server 2005 Express Edition (SQL Express) distributed with vCenter Server 4.1 Update 1 and vCenter Update Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2 to SQL Express Service Pack 3, to address multiple security issues that exist in the earlier releases of Microsoft SQL Express.

Customers using other database solutions need not update for these issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086, CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL Express Service Pack 3.

b. vCenter Apache Tomcat Management Application Credential Disclosure

The Apache Tomcat Manager application configuration file contains logon credentials that can be read by unprivileged local users.

The issue is resolved by removing the Manager application in vCenter 4.1 Update 1.

If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon credentials are not present in the configuration file after the update.

VMware would like to thank Claudio Criscione of Secure Networking for reporting this issue to us.

The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2010-2928 to this issue.

c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version 1.6.0_21

Oracle (Sun) JRE update to version 1.6.0_21, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849, CVE-2010-0850.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following name to the security issue fixed in Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.

d. vCenter Update Manager Oracle (Sun) JRE is updated to version 1.5.0_26

Oracle (Sun) JRE update to version 1.5.0_26, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566, CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573, CVE-2010-3565,CVE-2010-3568, CVE-2010-3569, CVE-2009-3555, CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562, CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572, CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541, CVE-2010-3574.

e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28

Apache Tomcat updated to version 6.0.28, which addresses multiple security issues that existed in earlier releases of Apache Tomcat

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i and CVE-2009-3548.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.

f. vCenter Server third-party component OpenSSL updated to version 0.9.8n

The version of the OpenSSL library in vCenter Server is updated to 0.9.8n.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0740 and CVE-2010-0433 to the issues addressed in this version of OpenSSL.

g. ESX third-party component OpenSSL updated to version 0.9.8p

The version of the ESX OpenSSL library is updated to 0.9.8p.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3864 and CVE-2010-2939 to the issues addressed in this update.

h. ESXi third-party component cURL updated

The version of cURL library in ESXi is updated.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-0734 to the issues addressed in this update.

i. ESX third-party component pam_krb5 updated

The version of pam_krb5 library is updated.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-3825 and CVE-2009-1384 to the issues addressed in the update.

j. ESX third-party update for Service Console kernel

The Service Console kernel is updated to include kernel version 2.6.18-194.11.1.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070, CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524, CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308, CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086, CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291, CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437, CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and CVE-2010-3081 to the issues addressed in the update.

Notes : - The update also addresses the 64-bit compatibility mode stack pointer underflow issue identified by CVE-2010-3081. This issue was patched in an ESX 4.1 patch prior to the release of ESX 4.1 Update 1 and in a previous ESX 4.0 patch release. - The update also addresses CVE-2010-2240 for ESX 4.0.

Solution

Apply the missing patches.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): Host/VMware/esxcli_software_vibs, Host/VMware/esxupdate
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX vulnerability:

1. Metasploit: exploit/windows/browser/java_ws_arginject_altjvm
   [Sun Java Web Start Plugin Command Line Argument Injection]
2. Metasploit: exploit/windows/browser/java_ws_vmargs
   [Sun Java Web Start Plugin Command Line Argument Injection]
3. Metasploit: auxiliary/dos/http/apache_tomcat_transfer_encoding
   [Apache Tomcat Transfer-Encoding Information Disclosure and DoS]
4. Metasploit: exploit/windows/browser/java_mixer_sequencer
   [Java MixerSequencer Object GM_Song Structure Handling Vulnerability]
5. Metasploit: exploit/multi/browser/java_rmi_connection_impl
   [Java RMIConnectionImpl Deserialization Privilege Escalation]
6. Metasploit: exploit/multi/browser/java_trusted_chain
   [Java Statement.invoke() Trusted Method Chain Privilege Escalation]
7. Metasploit: exploit/windows/mssql/ms09_004_sp_replwritetovarbin
   [MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption]
8. Metasploit: exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli
   [MS09-004 Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection]
9. Metasploit: auxiliary/dos/http/slowloris
   [Slowloris Denial of Service Attack]
10. Metasploit: exploit/multi/http/tomcat_mgr_deploy
    [Apache Tomcat Manager Application Deployer Authenticated Code Execution]
11. Metasploit: auxiliary/scanner/http/tomcat_mgr_login
    [Tomcat Application Manager Login Utility]
12. Metasploit: exploit/multi/http/tomcat_mgr_upload
    [Apache Tomcat Manager Authenticated Upload Code Execution]
13. Exploit-DB: exploits/linux/dos/12334.c
    [EDB-12334: OpenSSL - Remote Denial of Service]
14. Exploit-DB: exploits/linux/dos/14594.py
    [EDB-14594: Linux Kernel 2.6.33.3 - SCTP INIT Remote Denial of Service]
15. Exploit-DB: exploits/windows/local/41700.rb
    [EDB-41700: Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)]
16. Exploit-DB: exploits/multiple/remote/10579.py
    [EDB-10579: TLS - Renegotiation]
17. Exploit-DB: exploits/multiple/remote/12343.txt
    [EDB-12343: Apache Tomcat 5.5.0 < 5.5.29 / 6.0.0 < 6.0.26 - Information Disclosure]
18. Exploit-DB: exploits/windows/remote/15056.py
    [EDB-15056: Java 6.19 CMM readMabCurveData - Remote Stack Overflow]
19. Exploit-DB: exploits/multiple/remote/16297.rb
    [EDB-16297: Java - 'Statement.invoke()' Trusted Method Chain (Metasploit)]
20. Exploit-DB: exploits/multiple/remote/16305.rb
    [EDB-16305: Java - RMIConnectionImpl Deserialization Privilege Escalation (Metasploit)]
21. Exploit-DB: exploits/multiple/remote/16317.rb
    [EDB-16317: Apache Tomcat Manager - Application Deployer (Authenticated) Code Execution (Metasploit)]
22. Exploit-DB: exploits/windows/remote/16392.rb
    [EDB-16392: Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (Metasploit)]
23. Exploit-DB: exploits/windows/remote/16396.rb
    [EDB-16396: Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (via SQL Injection) (Metasploit)]
24. Exploit-DB: exploits/windows/remote/16585.rb
    [EDB-16585: Sun Java - Web Start Plugin Command Line Argument Injection (Metasploit)]
25. Exploit-DB: exploits/windows/remote/18485.rb
    [EDB-18485: Java MixerSequencer Object - GM_Song Structure Handling (Metasploit)]
26. Exploit-DB: exploits/multiple/remote/31433.rb
    [EDB-31433: Apache Tomcat Manager - Application Upload (Authenticated) Code Execution (Metasploit)]
27. GitHub: https://github.com/cocomelonc/vulnexipy
    [CVE-2009-3548]
28. GitHub: https://github.com/GiJ03/ReconScan
    [CVE-2009-3555]
29. GitHub: https://github.com/RedHatProductSecurity/CVE-HOWTO
    [CVE-2009-3555]
30. GitHub: https://github.com/RoliSoft/ReconScan
    [CVE-2009-3555]
31. GitHub: https://github.com/ekiojp/hanase
    [CVE-2009-3555]
32. GitHub: https://github.com/galeone/letsencrypt-lighttpd
    [CVE-2009-3555]
33. GitHub: https://github.com/issdp/test
    [CVE-2009-3555]
34. GitHub: https://github.com/johnwchadwick/cve-2009-3555-test-server
    [CVE-2009-3555: A TLS server using a vendored fork of the Go TLS stack that has renegotation ...]
35. GitHub: https://github.com/matoweb/Enumeration-Script
    [CVE-2009-3555]
36. GitHub: https://github.com/withdk/pulse-secure-vpn-mitm-research
    [CVE-2009-3555]
37. GitHub: https://github.com/De4dCr0w/Linux-kernel-EoP-exp
    [CVE-2010-0415]
38. GitHub: https://github.com/InteliSecureLabs/Linux_Exploit_Suggester
    [CVE-2010-0415]
39. GitHub: https://github.com/PleXone2019/Linux_Exploit_Suggester
    [CVE-2010-0415]
40. GitHub: https://github.com/R0B1NL1N/Linux-Kernal-Exploits-m-
    [CVE-2010-0415]
41. GitHub: https://github.com/R0B1NL1N/Linux-Kernel-Exploites
    [CVE-2010-0415]
42. GitHub: https://github.com/h4x0r-dz/local-root-exploit-
    [CVE-2010-0415]
43. GitHub: https://github.com/qashqao/linux-xsuggest
    [CVE-2010-0415]
44. GitHub: https://github.com/qiantu88/Linux--exp
    [CVE-2010-0415]
45. GitHub: https://github.com/rakjong/LinuxElevation
    [CVE-2010-0415]
46. GitHub: https://github.com/ram4u/Linux_Exploit_Suggester
    [CVE-2010-0415]
47. GitHub: https://github.com/rcvalle/vulnerabilities
    [CVE-2010-0415]
48. GitHub: https://github.com/marcocastro100/Intrusion_Detection_System-Python
    [CVE-2010-2227]
49. GitHub: https://github.com/Technoashofficial/kernel-exploitation-linux
    [CVE-2010-2240]
50. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2010-2240]
51. GitHub: https://github.com/Al1ex/LinuxEelvation
    [CVE-2010-3081]
52. GitHub: https://github.com/De4dCr0w/Linux-kernel-EoP-exp
    [CVE-2010-3081]
53. GitHub: https://github.com/InteliSecureLabs/Linux_Exploit_Suggester
    [CVE-2010-3081]
54. GitHub: https://github.com/PleXone2019/Linux_Exploit_Suggester
    [CVE-2010-3081]
55. GitHub: https://github.com/R0B1NL1N/Linux-Kernal-Exploits-m-
    [CVE-2010-3081]
56. GitHub: https://github.com/R0B1NL1N/Linux-Kernel-Exploites
    [CVE-2010-3081]
57. GitHub: https://github.com/Snoopy-Sec/Localroot-ALL-CVE
    [CVE-2010-3081]
58. GitHub: https://github.com/Technoashofficial/kernel-exploitation-linux
    [CVE-2010-3081]
59. GitHub: https://github.com/h4x0r-dz/local-root-exploit-
    [CVE-2010-3081]
60. GitHub: https://github.com/mergebase/usn2json
    [CVE-2010-3081]
61. GitHub: https://github.com/qashqao/linux-xsuggest
    [CVE-2010-3081]
62. GitHub: https://github.com/qiantu88/Linux--exp
    [CVE-2010-3081]
63. GitHub: https://github.com/rakjong/LinuxElevation
    [CVE-2010-3081]
64. GitHub: https://github.com/ram4u/Linux_Exploit_Suggester
    [CVE-2010-3081]
65. GitHub: https://github.com/skbasava/Linux-Kernel-exploit
    [CVE-2010-3081]
66. GitHub: https://github.com/xairy/linux-kernel-exploitation
    [CVE-2010-3081]
67. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/15056.zip
    [EDB-15056]
68. GitHub: https://github.com/SECFORCE/CVE-2008-5416
    [CVE-2008-5416: Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection]
69. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	10.0 (High)
Impact Subscore:	10.0
Exploitability Subscore:	10.0
CVSS Temporal Score:	8.7 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.7 (High)

CVSS V3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS Base Score:	7.8 (High)
Impact Subscore:	5.9
Exploitability Subscore:	1.8
CVSS Temporal Score:	7.5 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	7.5 (High)

Go back to menu.

Plugin Source

---

This is the vmware_VMSA-2011-0003.nasl nessus plugin source code. This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from VMware Security Advisory 2011-0003. 
# The text itself is copyright (C) VMware Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(51971);
  script_version("1.45");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2008-0085", "CVE-2008-0086", "CVE-2008-0106", "CVE-2008-0107", "CVE-2008-3825", "CVE-2008-5416", "CVE-2009-1384", "CVE-2009-2693", "CVE-2009-2901", "CVE-2009-2902", "CVE-2009-3548", "CVE-2009-3555", "CVE-2009-4308", "CVE-2010-0003", "CVE-2010-0007", "CVE-2010-0008", "CVE-2010-0082", "CVE-2010-0084", "CVE-2010-0085", "CVE-2010-0087", "CVE-2010-0088", "CVE-2010-0089", "CVE-2010-0090", "CVE-2010-0091", "CVE-2010-0092", "CVE-2010-0093", "CVE-2010-0094", "CVE-2010-0095", "CVE-2010-0291", "CVE-2010-0307", "CVE-2010-0410", "CVE-2010-0415", "CVE-2010-0433", "CVE-2010-0437", "CVE-2010-0622", "CVE-2010-0730", "CVE-2010-0734", "CVE-2010-0740", "CVE-2010-0837", "CVE-2010-0838", "CVE-2010-0839", "CVE-2010-0840", "CVE-2010-0841", "CVE-2010-0842", "CVE-2010-0843", "CVE-2010-0844", "CVE-2010-0845", "CVE-2010-0846", "CVE-2010-0847", "CVE-2010-0848", "CVE-2010-0849", "CVE-2010-0850", "CVE-2010-0886", "CVE-2010-1084", "CVE-2010-1085", "CVE-2010-1086", "CVE-2010-1087", "CVE-2010-1088", "CVE-2010-1157", "CVE-2010-1173", "CVE-2010-1187", "CVE-2010-1321", "CVE-2010-1436", "CVE-2010-1437", "CVE-2010-1641", "CVE-2010-2066", "CVE-2010-2070", "CVE-2010-2226", "CVE-2010-2227", "CVE-2010-2240", "CVE-2010-2248", "CVE-2010-2521", "CVE-2010-2524", "CVE-2010-2928", "CVE-2010-2939", "CVE-2010-3081", "CVE-2010-3541", "CVE-2010-3548", "CVE-2010-3549", "CVE-2010-3550", "CVE-2010-3551", "CVE-2010-3553", "CVE-2010-3554", "CVE-2010-3556", "CVE-2010-3557", "CVE-2010-3559", "CVE-2010-3561", "CVE-2010-3562", "CVE-2010-3565", "CVE-2010-3566", "CVE-2010-3567", "CVE-2010-3568", "CVE-2010-3569", "CVE-2010-3571", "CVE-2010-3572", "CVE-2010-3573", "CVE-2010-3574", "CVE-2010-3864");
  script_bugtraq_id(30082, 30083, 30118, 30119, 31534, 32710, 35112, 36935, 36954, 37724, 37762, 37906, 37942, 37944, 37945, 38027, 38058, 38144, 38162, 38165, 38185, 38348, 38479, 38533, 38857, 38898, 39013, 39044, 39062, 39067, 39068, 39069, 39070, 39071, 39072, 39073, 39075, 39077, 39078, 39081, 39082, 39083, 39084, 39085, 39086, 39088, 39089, 39090, 39091, 39093, 39094, 39095, 39096, 39120, 39492, 39569, 39635, 39715, 39719, 39794, 39979, 40235, 40356, 40776, 40920, 41466, 41544, 41904, 42242, 42249, 42306, 43239, 43965, 43971, 43979, 43985, 43988, 43992, 43994, 44009, 44011, 44012, 44013, 44014, 44016, 44017, 44026, 44027, 44028, 44030, 44032, 44035, 44040, 44884);
  script_xref(name:"VMSA", value:"2011-0003");

  script_name(english:"VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX");
  script_summary(english:"Checks esxupdate output for the patches");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote VMware ESXi / ESX host is missing one or more
security-related patches."
  );
  script_set_attribute(
    attribute:"description",
    value:
"a. vCenter Server and vCenter Update Manager update Microsoft
   SQL Server 2005 Express Edition to Service Pack 3

   Microsoft SQL Server 2005 Express Edition (SQL Express)
   distributed with vCenter Server 4.1 Update 1 and vCenter Update
   Manager 4.1 Update 1 is upgraded from  SQL Express Service Pack 2
   to SQL Express Service Pack 3, to address multiple security
   issues that exist in the earlier releases of Microsoft SQL Express.

   Customers using other database solutions need not update for
   these issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,
   CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL
   Express Service Pack 3.

b. vCenter Apache Tomcat Management Application Credential Disclosure

   The Apache Tomcat Manager application configuration file contains
   logon credentials that can be read by unprivileged local users.

   The issue is resolved by removing the Manager application in
   vCenter 4.1 Update 1.

   If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon
   credentials are not present in the configuration file after the
   update.

   VMware would like to thank Claudio Criscione of Secure Networking
   for reporting this issue to us.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)
   has assigned the name CVE-2010-2928 to this issue.

c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version
   1.6.0_21

   Oracle (Sun) JRE update to version 1.6.0_21, which addresses
   multiple security issues that existed in earlier releases of
   Oracle (Sun) JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the following names to the security issues fixed in
   Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082,
   CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088,
   CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092,
   CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837,
   CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841,
   CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845,
   CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849,
   CVE-2010-0850.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the following name to the security issue fixed in
   Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.

d. vCenter Update Manager Oracle (Sun) JRE is updated to version
  1.5.0_26

   Oracle (Sun) JRE update to version 1.5.0_26, which addresses
   multiple security issues that existed in earlier releases of
   Oracle (Sun) JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the following names to the security issues fixed in
   Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566,
   CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573,
   CVE-2010-3565,CVE-2010-3568, CVE-2010-3569,  CVE-2009-3555,
   CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562,
   CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572,
   CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541,
   CVE-2010-3574.

e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28

   Apache Tomcat updated to version 6.0.28, which addresses multiple
   security issues that existed in earlier releases of Apache Tomcat

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the following names to the security issues fixed in
   Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i
   and CVE-2009-3548.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the following names to the security issues fixed in
   Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.

f. vCenter Server third-party component OpenSSL updated to version
   0.9.8n

   The version of the OpenSSL library in vCenter Server is updated to
   0.9.8n.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2010-0740 and CVE-2010-0433 to the
   issues addressed in this version of OpenSSL.

g. ESX third-party component OpenSSL updated to version 0.9.8p

   The version of the ESX OpenSSL library is updated to 0.9.8p.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2010-3864 and CVE-2010-2939 to the
   issues addressed in this update.

h. ESXi third-party component cURL updated

   The version of cURL library in ESXi is updated.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the name CVE-2010-0734 to the issues addressed in
   this update.

i. ESX third-party component pam_krb5 updated

   The version of pam_krb5 library is updated.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2008-3825 and CVE-2009-1384 to the
   issues addressed in the update.

j. ESX third-party update for Service Console kernel

   The Service Console kernel is updated to include kernel version
   2.6.18-194.11.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)
   has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070,
   CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524,
   CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308,
   CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086,
   CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291,
   CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437,
   CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and
   CVE-2010-3081 to the issues addressed in the update.

   Notes :
   - The update also addresses the 64-bit compatibility mode
   stack pointer underflow issue identified by CVE-2010-3081. This
   issue was patched in an ESX 4.1 patch prior to the release of
   ESX 4.1 Update 1 and in a previous ESX 4.0 patch release.
   - The update also addresses CVE-2010-2240 for ESX 4.0."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://lists.vmware.com/pipermail/security-announce/2011/000140.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Sun Java Web Start Plugin Command Line Argument Injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');
  script_cwe_id(20, 22, 119, 189, 200, 255, 264, 287, 310, 399);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.1");

  script_set_attribute(attribute:"vuln_publication_date", value:"2008/07/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/02/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/14");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"VMware ESX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
  script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");

  exit(0);
}


include("audit.inc");
include("vmware_esx_packages.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
if (
  !get_kb_item("Host/VMware/esxcli_software_vibs") &&
  !get_kb_item("Host/VMware/esxupdate")
) audit(AUDIT_PACKAGE_LIST_MISSING);


init_esx_check(date:"2011-02-10");
flag = 0;


if (
  esx_check(
    ver           : "ESX 4.0",
    patch         : "ESX400-201103401-SG",
    patch_updates : make_list("ESX400-201104401-SG", "ESX400-201110401-SG", "ESX400-201111201-SG", "ESX400-201203401-SG", "ESX400-201205401-SG", "ESX400-201206401-SG", "ESX400-201209401-SG", "ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG", "ESX400-Update03", "ESX400-Update04")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 4.0",
    patch         : "ESX400-201103403-SG",
    patch_updates : make_list("ESX400-201111201-SG", "ESX400-201203401-SG", "ESX400-201205401-SG", "ESX400-201206401-SG", "ESX400-201209401-SG", "ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG", "ESX400-Update03", "ESX400-Update04")
  )
) flag++;

if (
  esx_check(
    ver           : "ESX 4.1",
    patch         : "ESX410-201101201-SG",
    patch_updates : make_list("ESX40-TO-ESX41UPDATE01", "ESX410-201104401-SG", "ESX410-201110201-SG", "ESX410-201201401-SG", "ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update01", "ESX410-Update02", "ESX410-Update03")
  )
) flag++;

if (
  esx_check(
    ver           : "ESXi 4.0",
    patch         : "ESXi400-201103401-SG",
    patch_updates : make_list("ESXi400-201104401-SG", "ESXi400-201110401-SG", "ESXi400-201203401-SG", "ESXi400-201205401-SG", "ESXi400-201206401-SG", "ESXi400-201209401-SG", "ESXi400-201302401-SG", "ESXi400-201305401-SG", "ESXi400-201310401-SG", "ESXi400-201404401-SG", "ESXi400-Update03", "ESXi400-Update04")
  )
) flag++;

if (
  esx_check(
    ver           : "ESXi 4.1",
    patch         : "ESXi410-201101201-SG",
    patch_updates : make_list("ESXi410-201104401-SG", "ESXi410-201110201-SG", "ESXi410-201201401-SG", "ESXi410-201204401-SG", "ESXi410-201205401-SG", "ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update01", "ESXi410-Update02", "ESXi410-Update03")
  )
) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/vmware_VMSA-2011-0003.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\vmware_VMSA-2011-0003.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/vmware_VMSA-2011-0003.nasl

Go back to menu.

How to Run

---

Here is how to run the VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select VMware ESX Local Security Checks plugin family.
6. On the right side table select VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX plugin ID 51971.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl vmware_VMSA-2011-0003.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a vmware_VMSA-2011-0003.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - vmware_VMSA-2011-0003.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state vmware_VMSA-2011-0003.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 30082, 30083, 30118, 30119, 31534, 32710, 35112, 36935, 36954, 37724, 37762, 37906, 37942, 37944, 37945, 38027, 38058, 38144, 38162, 38165, 38185, 38348, 38479, 38533, 38857, 38898, 39013, 39044, 39062, 39067, 39068, 39069, 39070, 39071, 39072, 39073, 39075, 39077, 39078, 39081, 39082, 39083, 39084, 39085, 39086, 39088, 39089, 39090, 39091, 39093, 39094, 39095, 39096, 39120, 39492, 39569, 39635, 39715, 39719, 39794, 39979, 40235, 40356, 40776, 40920, 41466, 41544, 41904, 42242, 42249, 42306, 43239, 43965, 43971, 43979, 43985, 43988, 43992, 43994, 44009, 44011, 44012, 44013, 44014, 44016, 44017, 44026, 44027, 44028, 44030, 44032, 44035, 44040, 44884

VMSA | VMware Security Advisory:

• 2011-0003

CWE | Common Weakness Enumeration:

• CWE-20 (Weakness) Improper Input Validation
• CWE-22 (Weakness) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• CWE-119 (Weakness) Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-189 (Category) Numeric Errors
• CWE-200 (Weakness) Exposure of Sensitive Information to an Unauthorized Actor
• CWE-255 (Category) Credentials Management Errors
• CWE-264 (Category) Permissions, Privileges, and Access Controls
• CWE-287 (Weakness) Improper Authentication
• CWE-310 (Category) Cryptographic Issues
• CWE-399 (Category) Resource Management Errors

See also:

• https://www.tenable.com/plugins/nessus/51971
• http://lists.vmware.com/pipermail/security-announce/2011/000140.html
• https://vulners.com/nessus/VMWARE_VMSA-2011-0003.NASL

Similar and related Nessus plugins:

• 89674 - VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0003) (remote check)
• 51197 - RHEL 4 / 5 / 6 : java-1.6.0-ibm (RHSA-2010:0987)
• 51198 - SuSE 11 / 11.1 Security Update : GnuTLS (SAT Patch Numbers 3650 / 3651)
• 51338 - SuSE9 Security Update : IBM Java2 JRE and SDK (YOU Patch Number 12658)
• 51339 - SuSE 10 Security Update : IBM Java 1.4.2 (ZYPP Patch Number 7231)
• 51440 - Debian DSA-2141-1 : openssl - SSL/TLS insecure renegotiation protocol design flaw
• 51604 - SuSE 11 / 11.1 Security Update : IBM Java 1.4.2 (SAT Patch Numbers 2413 / 2483)
• 51605 - SuSE 11.1 Security Update : IBM Java 1.4.2 (SAT Patch Number 3528)
• 51606 - SuSE 11.1 Security Update : IBM Java 6 (SAT Patch Number 2553)
• 51608 - SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 2568 / 2569 / 2570)
• 51610 - SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 3068 / 3069 / 3070)
• 51611 - SuSE 11 Security Update : Linux kernel (SAT Patch Number 3164)
• 51612 - SuSE 11.1 Security Update : Linux kernel (SAT Patch Numbers 3276 / 3280 / 3284)
• 51636 - SuSE 11.1 Security Update : Xorg (SAT Patch Number 2968)
• 51667 - SuSE 11.1 Security Update : IBM Java 6 (SAT Patch Number 3724)
• 51748 - SuSE 10 Security Update : GnuTLS (ZYPP Patch Number 7299)
• 51750 - SuSE 10 Security Update : IBM Java 6 SR9 (ZYPP Patch Number 7312)
• 51751 - SuSE 10 Security Update : Sun Java 1.6.0 (ZYPP Patch Number 7204)
• 52629 - SuSE9 Security Update : IBMJava JRE and SDK (YOU Patch Number 12682)
• 52631 - SuSE 11.1 Security Update : IBM Java (SAT Patch Number 4024)
• 52632 - SuSE 10 Security Update : IBM Java (ZYPP Patch Number 7348)
• 52686 - SuSE 11 Security Update : MozillaFirefox, MozillaFirefox-branding-upstream, etc (SAT Patch Number 2254)
• 52688 - SuSE 11 Security Update : Mozilla XULrunner (SAT Patch Number 2255)
• 52702 - SuSE9 Security Update : IBM Java (YOU Patch Number 12683)
• 52737 - SuSE 10 Security Update : IBM Java (ZYPP Patch Number 7350)
• 52971 - SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 7381)
• 53212 - Debian DSA-2207-1 : tomcat5.5 - several vulnerabilities
• 53532 - HP System Management Homepage < 6.3 Multiple Vulnerabilities
• 53592 - VMSA-2011-0007 : VMware ESXi and ESX Denial of Service and third-party updates for Likewise components and ESX Service Console
• 53618 - SuSE9 Security Update : GnuTLS (YOU Patch Number 12705)
• 53660 - openSUSE Security Update : gnutls (openSUSE-SU-2010:1025-1)
• 53661 - openSUSE Security Update : gnutls (openSUSE-SU-2010:1025-2)
• 53662 - openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2010:0957-1)
• 53728 - openSUSE Security Update : gnutls (openSUSE-SU-2010:1025-1)
• 53729 - openSUSE Security Update : gnutls (openSUSE-SU-2010:1025-2)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file vmware_VMSA-2011-0003.nasl version 1.45. For more plugins, visit the Nessus Plugin Library.

Go back to menu.