Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26509
HistoryJun 11, 2011 - 12:00 a.m.

VMware Tools Multiple Vulnerabilities

2011-06-1100:00:00
vulners.com
329

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                     VSR Security Advisory
                   http://www.vsecurity.com/
  • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: VMware Tools Multiple Vulnerabilities
Release Date: 2011-06-03
Application: VMware Guest Tools
Severity: High
Author: Dan Rosenberg <drosenberg (at) vsecurity.com>
Vendor Status: Patch Released [2]
CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146
Reference: http://www.vsecurity.com/resources/advisory/20110603-1/

  • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Product Description


  • From [1]:

"VMware Tools is a suite of utilities that enhances the performance of the
virtual machine's guest operating system and improves management of the
virtual machine. Without VMware Tools installed in your guest operating
system, guest performance lacks important functionality."

Vulnerability Overview


On February 17th, VSR identified multiple vulnerabilities in VMware Tools, a
suite of utilities shipped by VMware with multiple product offerings, as well
as by open-source distributions as the open-vm-tools package. The first of
these issues results in a minor information disclosure vulnerability, while the
second two issues may result in privilege escalation in a VMware guest with
VMware Tools installed.

Product Background


VMware Tools includes mount.vmhgfs, a setuid-root utility that allows
unprivileged users in a guest VM to mount HGFS shared folders. Also shipped
with VMware Tools is vmware-user-suid-wrapper, a setuid-root utility which
handles initial setup to prepare for running vmware-user, which grants users
access to other utilities included with VMware Tools.

Vulnerability Details


CVE-2011-2146:

The mount.vmhgfs utility makes a call to stat() to check for the existence and
type (file, directory, etc.) of the user-supplied mountpoint, and provides an
error message if the provided argument does not exist or is not a directory.
Because mount.vmhgfs is setuid-root, a local attacker can leverage this
behavior to identify if a given path exists in the guest operating system and
whether it is a file or directory, potentially violating directory permissions.

CVE-2011-1787:

The mount.vmhgfs utility checks that the user-provided mountpoint is owned by
the user attempting to mount an HGFS share prior to performing the mount.
However, a race condition exists between the time this checking is performed
and when the mount is performed. Successful exploitation allows a local
attacker to mount HGFS shares over arbitrary, potentially root-owned
directories, subsequently allowing privilege escalation within the guest.

CVE-2011-2145:

The vmware-user-suid-wrapper utility attempts to create a directory at
/tmp/VMwareDnD. Next, it makes calls to chown() and chmod() to make this
directory root-owned and world-writable. By placing a symbolic link at the
location of this directory, vmware-user-suid-wrapper will cause the symbolic
link target to become world-writable, allowing local attackers to escalate
privileges within the guest. Only FreeBSD and Solaris versions of VMware Tools
are affected.

Versions Affected


VMware's advisory [2] indicates the following product versions are affected:

   VMware      Product     Running     Replace with/
   Product     Version     on          Apply Patch
   =========   ========    =======     =================
   vCenter     any         Windows     not affected

   Workstation 7.1.x       Linux       7.1.4 or later*
   Workstation 7.1.x       Windows     7.1.4 or later*

   Player      3.1.x       Linux       3.1.4 or later*
   Player      3.1.x       Windows     3.1.4 or later*

   AMS         any         any         not affected

   Fusion      3.1.x       OSX         Fusion 3.1.3 or later*

   ESXi        4.1         ESXi        ESXi410-201104402-BG*
   ESXi        4.0         ESXi        ESXi400-201104402-BG*
   ESXi        3.5         ESXi        ESXe350-201105402-T-SG*

   ESX         4.1         ESX         ESX410-201104401-SG*
   ESX         4.0         ESX         ESX400-201104401-SG*
   ESX         3.5         ESX         ESX350-201105406-SG*
   ESX         3.0.3       ESX         not affected

The open-vm-tools package prior to version 2011.02.23-368700 is also affected.

Vendor Response


The following timeline details VMware's response to the reported issue:

2011-02-17 VMware receives initial vulnerability report
2011-02-17 VMware security team acknowledges receipt
2011-03-04 VMware provides status update
2011-03-04 VSR initiates discussion of disclosure date
2011-03-10 VMware responds, indicates internal coordination underway
2011-03-11 VSR acknowledges response
2011-03-15 VMware indicates internal coordination still ongoing
2011-03-15 VSR acknowledges response
2011-03-20 VMware proposes disclosure date of late Q3
2011-03-21 VSR agrees to disclosure date
2011-03-30 VMware provides status update
2011-04-28 VMware provides status update
2011-05-05 VMware provides status update
2011-05-06 VSR acknowledges receipt of status updates
2011-06-03 Coordinated disclosure

VMware's advisory may be obtained at:
http://www.vmware.com/security/advisories/VMSA-2011-0009.html

Recommendation


Apply VMware-supplied updates to affected products, or download
distribution-supplied security updates if using the opem-vm-tools package.

Common Vulnerabilities and Exposures (CVE) Information


The Common Vulnerabilities and Exposures (CVE) project has assigned the numbers
CVE-2011-1787, CVE-2011-2145, and CVE-2011-2146 to these issues. These are
candidates for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.

Acknowledgements


Thanks for VMware for their prompt response, frequent status updates, and fix.

  • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

  1. Overview of VMware Tools
    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&amp;cmd=displayKC&amp;externalId=340

  2. VMSA-2011-0009
    http://www.vmware.com/security/advisories/VMSA-2011-0009.html

  • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety. This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose. Virtual Security Research, LLC nor the author
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure
practices:
http://www.vsecurity.com/company/disclosure

  • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Copyright 2011 Virtual Security Research, LLC. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3pNGcACgkQQ1RSUNR+T+iowQCgkdOfJOwQRyAMz2bTIRYnU3NP
5eIAnAv2x6MbVe5TcfwS36P/eY8VcEaW
=0Y7v
-----END PGP SIGNATURE-----