Vigil@nce: VMware, several vulnerabilities
April 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
Several vulnerabilities impact VMware ACE, ESX, ESXi, Player,
Server and Workstation.
– Severity: 2/4
– Creation date: 09/04/2010
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities impact VMware products.
When the guest system is Windows, a local attacker can load a
library, in order to elevate his privileges. [severity:2/4; ASPR
#2010-04-12-1, ASPR #2010-04-12-2, BID-39392, CVE-2010-1141]
When the guest system is Windows 2000, a local attacker can copy a
program in a specific directory, in order to elevate his
privileges. [severity:2/4; ASPR #2010-04-12-1, ASPR #2010-04-12-2,
BID-39394, CVE-2010-1142]
When the host system is Windows 2000, a local attacker can copy a
program in a specific directory, in order to elevate his
privileges. [severity:2/4; ASPR #2010-04-12-1, ASPR #2010-04-12-2,
BID-39397, CVE-2010-1140]
When a black and white interlaced image is opened by libpng, some
areas of the image come from the memory (VIGILANCE-VUL-8813
(https://vigilance.fr/tree/1/8813)). [severity:1/4; BID-35233,
CVE-2009-2042]
The VMware Workstation, VMware Player and VMware ACE products
install the VMnc video codec, which contains several buffer
overflows. The attacker can invite the victim to see a malicious
video, in order to execute code. [severity:2/4; BID-39363,
CVE-2009-1564, ERR-2009-1564]
The VMware Workstation, VMware Player and VMware ACE products
install the VMnc video codec, which contains several integer
overflows. The attacker can invite the victim to see a malicious
video, in order to execute code. [severity:2/4; BID-39364,
CVE-2009-1565]
An attacker can generate a format string attack in VMware Remote
Console (VMrc), in order to execute code. [severity:2/4;
BID-39396, CVE-2009-3732, DSecRG-09-053]
An attacker can send a malicious authentication query to the
vmware-authd service of VMware ACE, Player or Workstation in order
to stop it (VIGILANCE-VUL-9079 (https://vigilance.fr/tree/1/9079))
[severity:2/4; BID-36630, CVE-2009-3707]
An attacker in a guest system can send data to the vmware-vmx host
system, which can send them on the network. [severity:2/4;
BID-39395, CVE-2010-1138]
An attacker in a guest system can execute a command containing
format strings. Then, when the administrator uses vmrun to list
processes, a format string attack occurs, and code can run with
administrator’s privileges. [severity:2/4; BID-39407,
CVE-2010-1139]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/VMware-several-vulnerabilities-9568