VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues - Nessus
High Plugin ID: 54968This page contains detailed information about the VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 54968
Name: VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues
Filename: vmware_VMSA-2011-0009.nasl
Vulnerability Published: N/A
This Plugin Published: 2011-06-06
Last Modification Time: 2021-01-06
Plugin Version: 1.43
Plugin Type: local
Plugin Family: VMware ESX Local Security Checks
Dependencies:
ssh_get_info.nasl
Required KB Items [?]: Host/local_checks_enabled, Host/VMware/release, Host/VMware/version
Vulnerability Information
Severity: High
Vulnerability Published: N/A
Patch Published: 2011-06-02
CVE [?]: CVE-2009-3080, CVE-2009-4536, CVE-2010-1188, CVE-2010-2240, CVE-2011-1787, CVE-2011-2145, CVE-2011-2146, CVE-2011-2217
CPE [?]: cpe:/o:vmware:esxi:3.5, cpe:/o:vmware:esxi:4.0, cpe:/o:vmware:esxi:4.1, cpe:/o:vmware:esxi:5.0, cpe:/o:vmware:esx:3.5, cpe:/o:vmware:esx:4.0, cpe:/o:vmware:esx:4.1
Synopsis
The remote VMware ESXi / ESX host is missing one or more security-related patches.
Description
a. VMware vmkernel third-party e1000(e) Driver Packet Filter Bypass
There is an issue in the e1000(e) Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue.
b. ESX third-party update for Service Console kernel
This update for the console OS kernel package resolves four security issues.
1) IPv4 Remote Denial of Service
An remote attacker can achieve a denial of service via an issue in the kernel IPv4 code.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1188 to this issue.
2) SCSI Driver Denial of Service / Possible Privilege Escalation
A local attacker can achieve a denial of service and possibly a privilege escalation via a vulnerability in the Linux SCSI drivers.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3080 to this issue.
3) Kernel Memory Management Arbitrary Code Execution
A context-dependent attacker can execute arbitrary code via a vulnerability in a kernel memory handling function.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2240 to this issue.
4) e1000 Driver Packet Filter Bypass
There is an issue in the Service Console e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue.
c. Multiple vulnerabilities in mount.vmhgfs
This patch provides a fix for the following three security issues in the VMware Host Guest File System (HGFS). None of these issues affect Windows based Guest Operating Systems.
1) Mount.vmhgfs Information Disclosure
Information disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2146 to this issue.
2) Mount.vmhgfs Race Condition
Privilege escalation via a race condition that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1787 to this issue.
3) Mount.vmhgfs Privilege Escalation
Privilege escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2145 to this issue.
VMware would like to thank Dan Rosenberg for reporting these issues.
d. VI Client ActiveX vulnerabilities
VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user's system within the security context of that user.
VMware would like to thank Elazar Broad and iDefense for reporting this issue to us.
The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2011-2217 to this issue.
Affected versions.
The vSphere Client which comes with vSphere 4.0 and vSphere 4.1 is not affected. This is any build of vSphere Client Version 4.0.0 and vSphere Client Version 4.1.0.
VI Clients bundled with VMware Infrastructure 3 that are not affected are : - VI Client 2.0.2 Build 230598 and higher - VI Client 2.5 Build 204931 and higher
The issue can be remediated by replacing an affected VI Client with the VI Client bundled with VirtualCenter 2.5 Update 6 or VirtualCenter 2.5 Update 6a.
Solution
Apply the missing patches.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): Host/VMware/esxcli_software_vibs, Host/VMware/esxupdate
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Core Impact)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues vulnerability:
- Metasploit: exploit/windows/browser/tom_sawyer_tsgetx71ex552
[Tom Sawyer Software GET Extension Factory Remote Code Execution] - Exploit-DB: exploits/windows/remote/19030.rb
[EDB-19030: Tom Sawyer Software GET Extension Factory - Remote Code Execution (Metasploit)] - GitHub: https://github.com/Technoashofficial/kernel-exploitation-linux
[CVE-2010-2240] - GitHub: https://github.com/xairy/linux-kernel-exploitation
[CVE-2010-2240]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
| CVSS Base Score: | 9.3 (High) |
| Impact Subscore: | 10.0 |
| Exploitability Subscore: | 8.6 |
| CVSS Temporal Score: | 7.7 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 7.7 (High) |
Go back to menu.
Plugin Source
This is the vmware_VMSA-2011-0009.nasl nessus plugin source code. This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from VMware Security Advisory 2011-0009.
# The text itself is copyright (C) VMware Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(54968);
script_version("1.43");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id("CVE-2009-3080", "CVE-2009-4536", "CVE-2010-1188", "CVE-2010-2240", "CVE-2011-1787", "CVE-2011-2145", "CVE-2011-2146", "CVE-2011-2217");
script_bugtraq_id(37068, 37519, 39016, 42505, 48098, 48099);
script_xref(name:"VMSA", value:"2011-0009");
script_name(english:"VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues");
script_summary(english:"Checks esxupdate output for the patches");
script_set_attribute(
attribute:"synopsis",
value:
"The remote VMware ESXi / ESX host is missing one or more
security-related patches."
);
script_set_attribute(
attribute:"description",
value:
"a. VMware vmkernel third-party e1000(e) Driver Packet Filter Bypass
There is an issue in the e1000(e) Linux driver for Intel PRO/1000
adapters that allows a remote attacker to bypass packet filters.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-4536 to this issue.
b. ESX third-party update for Service Console kernel
This update for the console OS kernel package resolves four
security issues.
1) IPv4 Remote Denial of Service
An remote attacker can achieve a denial of service via an
issue in the kernel IPv4 code.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2010-1188 to
this issue.
2) SCSI Driver Denial of Service / Possible Privilege Escalation
A local attacker can achieve a denial of service and
possibly a privilege escalation via a vulnerability in
the Linux SCSI drivers.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2009-3080 to
this issue.
3) Kernel Memory Management Arbitrary Code Execution
A context-dependent attacker can execute arbitrary code
via a vulnerability in a kernel memory handling function.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2010-2240 to
this issue.
4) e1000 Driver Packet Filter Bypass
There is an issue in the Service Console e1000 Linux
driver for Intel PRO/1000 adapters that allows a remote
attacker to bypass packet filters.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2009-4536 to
this issue.
c. Multiple vulnerabilities in mount.vmhgfs
This patch provides a fix for the following three security
issues in the VMware Host Guest File System (HGFS). None of
these issues affect Windows based Guest Operating Systems.
1) Mount.vmhgfs Information Disclosure
Information disclosure via a vulnerability that allows an
attacker with access to the Guest to determine if a path
exists in the Host filesystem and whether it is a file or
directory regardless of permissions.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2011-2146 to
this issue.
2) Mount.vmhgfs Race Condition
Privilege escalation via a race condition that allows an
attacker with access to the guest to mount on arbitrary
directories in the Guest filesystem and achieve privilege
escalation if they can control the contents of the
mounted directory.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2011-1787 to
this issue.
3) Mount.vmhgfs Privilege Escalation
Privilege escalation via a procedural error that allows
an attacker with access to the guest operating system to
gain write access to an arbitrary file in the Guest
filesystem. This issue only affects Solaris and FreeBSD
Guest Operating Systems.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2011-2145 to
this issue.
VMware would like to thank Dan Rosenberg for reporting these
issues.
d. VI Client ActiveX vulnerabilities
VI Client COM objects can be instantiated in Internet Explorer
which may cause memory corruption. An attacker who succeeded in
making the VI Client user visit a malicious Web site could
execute code on the user's system within the security context of
that user.
VMware would like to thank Elazar Broad and iDefense for
reporting this issue to us.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2011-2217 to this issue.
Affected versions.
The vSphere Client which comes with vSphere 4.0 and vSphere 4.1
is not affected. This is any build of vSphere Client Version
4.0.0 and vSphere Client Version 4.1.0.
VI Clients bundled with VMware Infrastructure 3 that are not
affected are :
- VI Client 2.0.2 Build 230598 and higher
- VI Client 2.5 Build 204931 and higher
The issue can be remediated by replacing an affected VI Client
with the VI Client bundled with VirtualCenter 2.5 Update 6 or
VirtualCenter 2.5 Update 6a."
);
script_set_attribute(
attribute:"see_also",
value:"http://lists.vmware.com/pipermail/security-announce/2011/000158.html"
);
script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Tom Sawyer Software GET Extension Factory Remote Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_cwe_id(189);
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1");
script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:3.5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.1");
script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0");
script_set_attribute(attribute:"patch_publication_date", value:"2011/06/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/06");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.");
script_family(english:"VMware ESX Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
exit(0);
}
include("audit.inc");
include("vmware_esx_packages.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
if (
!get_kb_item("Host/VMware/esxcli_software_vibs") &&
!get_kb_item("Host/VMware/esxupdate")
) audit(AUDIT_PACKAGE_LIST_MISSING);
init_esx_check(date:"2011-06-02");
flag = 0;
if (
esx_check(
ver : "ESX 3.5.0",
patch : "ESX350-201105401-SG",
patch_updates : make_list("ESX350-201205401-SG")
)
) flag++;
if (esx_check(ver:"ESX 3.5.0", patch:"ESX350-201105404-SG")) flag++;
if (
esx_check(
ver : "ESX 3.5.0",
patch : "ESX350-201105406-SG",
patch_updates : make_list("ESX350-201203402-BG")
)
) flag++;
if (
esx_check(
ver : "ESX 4.0",
patch : "ESX400-201104401-SG",
patch_updates : make_list("ESX400-201111201-SG", "ESX400-201203401-SG", "ESX400-201205401-SG", "ESX400-201206401-SG", "ESX400-201209401-SG", "ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG", "ESX400-Update03", "ESX400-Update04")
)
) flag++;
if (
esx_check(
ver : "ESX 4.0",
patch : "ESX400-201110410-SG",
patch_updates : make_list("ESX400-Update04")
)
) flag++;
if (
esx_check(
ver : "ESX 4.1",
patch : "ESX410-201104401-SG",
patch_updates : make_list("ESX410-201110201-SG", "ESX410-201201401-SG", "ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update02", "ESX410-Update03")
)
) flag++;
if (
esx_check(
ver : "ESX 4.1",
patch : "ESX410-201110225-SG",
patch_updates : make_list("ESX410-Update02", "ESX410-Update03")
)
) flag++;
if (esx_check(ver:"ESXi 3.5.0", patch:"ESXe350-201105401-I-SG")) flag++;
if (esx_check(ver:"ESXi 3.5.0", patch:"ESXe350-201105402-T-SG")) flag++;
if (
esx_check(
ver : "ESXi 4.0",
patch : "ESXi400-201110401-SG",
patch_updates : make_list("ESXi400-201203401-SG", "ESXi400-201205401-SG", "ESXi400-201206401-SG", "ESXi400-201209401-SG", "ESXi400-201302401-SG", "ESXi400-201305401-SG", "ESXi400-201310401-SG", "ESXi400-201404401-SG", "ESXi400-Update04")
)
) flag++;
if (
esx_check(
ver : "ESXi 4.1",
patch : "ESXi410-201110201-SG",
patch_updates : make_list("ESXi410-201201401-SG", "ESXi410-201204401-SG", "ESXi410-201205401-SG", "ESXi410-201206401-SG", "ESXi410-201208101-SG", "ESXi410-201211401-SG", "ESXi410-201301401-SG", "ESXi410-201304401-SG", "ESXi410-201307401-SG", "ESXi410-201312401-SG", "ESXi410-201404401-SG", "ESXi410-Update02", "ESXi410-Update03")
)
) flag++;
if (esx_check(ver:"ESXi 5.0", vib:"VMware:net-e1000:8.0.3.1-2vmw.500.0.3.515841")) flag++;
if (esx_check(ver:"ESXi 5.0", vib:"VMware:net-e1000e:1.1.2-3vmw.500.0.3.515841")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/vmware_VMSA-2011-0009.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\vmware_VMSA-2011-0009.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/vmware_VMSA-2011-0009.nasl
Go back to menu.
How to Run
Here is how to run the VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select VMware ESX Local Security Checks plugin family.
- On the right side table select VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues plugin ID 54968.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl vmware_VMSA-2011-0009.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a vmware_VMSA-2011-0009.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - vmware_VMSA-2011-0009.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state vmware_VMSA-2011-0009.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: VMSA | VMware Security Advisory: CWE | Common Weakness Enumeration:
- CWE-189 (Category) Numeric Errors
- https://www.tenable.com/plugins/nessus/54968
- http://lists.vmware.com/pipermail/security-announce/2011/000158.html
- https://vulners.com/nessus/VMWARE_VMSA-2011-0009.NASL
- 44096 - CentOS 5 : kernel (CESA-2010:0046)
- 49179 - CentOS 4 : kernel (CESA-2010:0676)
- 44860 - Debian DSA-1996-1 : linux-2.6 - privilege escalation/denial of service/sensitive memory leak
- 43125 - Fedora 10 : kernel-2.6.27.41-170.2.117.fc10 (2009-13098)
- 48414 - Fedora 13 : kernel-2.6.33.8-149.fc13 (2010-13058)
- 48415 - Fedora 12 : kernel-2.6.32.19-163.fc12 (2010-13110)
- 47270 - Fedora 12 : kernel-2.6.31.12-174.2.19.fc12 (2010-1787)
- 49190 - Mandriva Linux Security Advisory : kernel (MDVSA-2010:172)
- 49666 - Mandriva Linux Security Advisory : kernel (MDVSA-2010:188)
- 49795 - Mandriva Linux Security Advisory : kernel (MDVSA-2010:198)
- 67988 - Oracle Linux 5 : kernel (ELSA-2010-0046)
- 68094 - Oracle Linux 4 : kernel (ELSA-2010-0676)
- 79507 - OracleVM 2.2 : kernel (OVMSA-2013-0039)
- 44062 - RHEL 5 : kernel (RHSA-2010:0046)
- 49129 - RHEL 4 : kernel (RHSA-2010:0676)
- 63952 - RHEL 4 : kernel (RHSA-2010:0677)
- 48923 - Slackware 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : xorg-server (SSA:2010-240-06)
- 43631 - SuSE 11.2 Security Update: kernel (2009-12-18)
- 54990 - Tom Sawyer Software GET Extension Factory COM Object Instantiation Memory Corruption
- 43026 - Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : linux, linux-source-2.6.15 vulnerabilities (USN-864-1)
- 46810 - Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : linux, linux-source-2.6.15 vulnerabilities (USN-947-1)
- 48381 - Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : linux, linux-{ec2,fsl-imx51,mvl-dove,source-2.6.15,ti-omap} vulnerabilities (USN-974-1)
- 70880 - ESXi 5.0 < Build 515841 Multiple Vulnerabilities (remote check)
- 46765 - VMSA-2010-0009 : ESXi ntp and ESX Service Console third-party updates
- 89740 - VMware ESX / ESXi Third-Party Libraries and Components (VMSA-2010-0009) (remote check)
- 53592 - VMSA-2011-0007 : VMware ESXi and ESX Denial of Service and third-party updates for Likewise components and ESX Service Console
- 89676 - VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2011-0007) (remote check)
- 89678 - VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2011-0009) (remote check)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file vmware_VMSA-2011-0009.nasl version 1.43. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
