Vigil@nce - VMware: three vulnerabilities of mount.vmhgfs
June 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
Three vulnerabilities of VMware products can be used by an
attacker in order to obtain information or to elevate his
privileges.
Severity: 2/4
Creation date: 06/06/2011
IMPACTED PRODUCTS
– OpenSUSE
– VMware ESX
– VMware ESXi
– VMware Player
– VMware vSphere
– VMware Workstation
DESCRIPTION OF THE VULNERABILITY
The mount.vmhgfs tool is used to mount HGFS filesystem, used for
file sharing. It is installed suid root, and it is impacted by
three vulnerabilities.
An attacker located in a guest system can analyze error messages
of the mount.vmhgfs program, in order to detect if a file exists
on the host system. [severity:1/4; CVE-2011-2146]
An attacker located in a guest system can use mount.vmhgfs and a
symbolic link to mount a directory belonging to root, in order to
alter its content. [severity:2/4; CVE-2011-1787]
An attacker located in a FreeBSD or Solaris guest system can
create a symbolic link to /tmp/VMwareDnD, in order to force the
vmware-user-suid-wrapper program to change the permission of a
directory to be world writable. [severity:2/4; CVE-2011-2145]
Three vulnerabilities of VMware products can therefore be used by
an attacker in order to obtain information or to elevate his
privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/VMware-three-vulnerabilities-of-mount-vmhgfs-10707