Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: VMware Tools Multiple Vulnerabilities Release Date: 2011-06-03 Application: VMware Guest Tools Severity: High Author: Dan Rosenberg
Vendor Status: Patch Released  CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146 Reference: http://www.vsecurity.com/resources/advisory/20110603-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description ------------------- From : "VMware Tools is a suite of utilities that enhances the performance of the virtual machine's guest operating system and improves management of the virtual machine. Without VMware Tools installed in your guest operating system, guest performance lacks important functionality." Vulnerability Overview ---------------------- On February 17th, VSR identified multiple vulnerabilities in VMware Tools, a suite of utilities shipped by VMware with multiple product offerings, as well as by open-source distributions as the open-vm-tools package. The first of these issues results in a minor information disclosure vulnerability, while the second two issues may result in privilege escalation in a VMware guest with VMware Tools installed. Product Background ------------------ VMware Tools includes mount.vmhgfs, a setuid-root utility that allows unprivileged users in a guest VM to mount HGFS shared folders. Also shipped with VMware Tools is vmware-user-suid-wrapper, a setuid-root utility which handles initial setup to prepare for running vmware-user, which grants users access to other utilities included with VMware Tools. Vulnerability Details --------------------- CVE-2011-2146: The mount.vmhgfs utility makes a call to stat() to check for the existence and type (file, directory, etc.) of the user-supplied mountpoint, and provides an error message if the provided argument does not exist or is not a directory. Because mount.vmhgfs is setuid-root, a local attacker can leverage this behavior to identify if a given path exists in the guest operating system and whether it is a file or directory, potentially violating directory permissions. CVE-2011-1787: The mount.vmhgfs utility checks that the user-provided mountpoint is owned by the user attempting to mount an HGFS share prior to performing the mount. However, a race condition exists between the time this checking is performed and when the mount is performed. Successful exploitation allows a local attacker to mount HGFS shares over arbitrary, potentially root-owned directories, subsequently allowing privilege escalation within the guest. CVE-2011-2145: The vmware-user-suid-wrapper utility attempts to create a directory at /tmp/VMwareDnD. Next, it makes calls to chown() and chmod() to make this directory root-owned and world-writable. By placing a symbolic link at the location of this directory, vmware-user-suid-wrapper will cause the symbolic link target to become world-writable, allowing local attackers to escalate privileges within the guest. Only FreeBSD and Solaris versions of VMware Tools are affected. Versions Affected ----------------- VMware's advisory  indicates the following product versions are affected: VMware Product Running Replace with/ Product Version on Apply Patch ========= ======== ======= ================= vCenter any Windows not affected Workstation 7.1.x Linux 7.1.4 or later* Workstation 7.1.x Windows 7.1.4 or later* Player 3.1.x Linux 3.1.4 or later* Player 3.1.x Windows 3.1.4 or later* AMS any any not affected Fusion 3.1.x OSX Fusion 3.1.3 or later* ESXi 4.1 ESXi ESXi410-201104402-BG* ESXi 4.0 ESXi ESXi400-201104402-BG* ESXi 3.5 ESXi ESXe350-201105402-T-SG* ESX 4.1 ESX ESX410-201104401-SG* ESX 4.0 ESX ESX400-201104401-SG* ESX 3.5 ESX ESX350-201105406-SG* ESX 3.0.3 ESX not affected The open-vm-tools package prior to version 2011.02.23-368700 is also affected. Vendor Response --------------- The following timeline details VMware's response to the reported issue: 2011-02-17 VMware receives initial vulnerability report 2011-02-17 VMware security team acknowledges receipt 2011-03-04 VMware provides status update 2011-03-04 VSR initiates discussion of disclosure date 2011-03-10 VMware responds, indicates internal coordination underway 2011-03-11 VSR acknowledges response 2011-03-15 VMware indicates internal coordination still ongoing 2011-03-15 VSR acknowledges response 2011-03-20 VMware proposes disclosure date of late Q3 2011-03-21 VSR agrees to disclosure date 2011-03-30 VMware provides status update 2011-04-28 VMware provides status update 2011-05-05 VMware provides status update 2011-05-06 VSR acknowledges receipt of status updates 2011-06-03 Coordinated disclosure VMware's advisory may be obtained at: http://www.vmware.com/security/advisories/VMSA-2011-0009.html Recommendation -------------- Apply VMware-supplied updates to affected products, or download distribution-supplied security updates if using the opem-vm-tools package. Common Vulnerabilities and Exposures (CVE) Information ------------------------------------------------------ The Common Vulnerabilities and Exposures (CVE) project has assigned the numbers CVE-2011-1787, CVE-2011-2145, and CVE-2011-2146 to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Acknowledgements ---------------- Thanks for VMware for their prompt response, frequent status updates, and fix. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- References: 1. Overview of VMware Tools http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=340 2. VMSA-2011-0009 http://www.vmware.com/security/advisories/VMSA-2011-0009.html -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. See the VSR disclosure policy for more information on our responsible disclosure practices: http://www.vsecurity.com/company/disclosure -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Copyright 2011 Virtual Security Research, LLC. All rights reserved.
Editor’s note: This work was originally published by VSR on their website at https://www.vsecurity.com/resources/advisories.html. VSR is now a part of NCC Group, so we have migrated this content to research.nccgroup.com. The advisory text as above has been copy-pasted to this blog for historical reference.