ID CVE-2011-1787
Summary Race condition in mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1 allows guest OS users to gain privileges on the guest OS by mounting a filesystem on top of an arbitrary directory.
References
Vulnerable Configurations
  • VMWare Workstation 7.1.3
    cpe:2.3:a:vmware:workstation:7.1.3
  • VMWare Workstation 7.1.1
    cpe:2.3:a:vmware:workstation:7.1.1
  • VMWare Workstation 7.1.2
    cpe:2.3:a:vmware:workstation:7.1.2
  • VMware Player 3.1
    cpe:2.3:a:vmware:player:3.1
  • VMware Player 3.1.3
    cpe:2.3:a:vmware:player:3.1.3
  • VMware Player 3.1.1
    cpe:2.3:a:vmware:player:3.1.1
  • VMware Player 3.1.2
    cpe:2.3:a:vmware:player:3.1.2
  • VMware Fusion 3.1.2
    cpe:2.3:a:vmware:fusion:3.1.2
  • VMware Fusion 3.1
    cpe:2.3:a:vmware:fusion:3.1
  • VMware Fusion 3.1.1
    cpe:2.3:a:vmware:fusion:3.1.1
  • cpe:2.3:a:vmware:esxi:3.5
    cpe:2.3:a:vmware:esxi:3.5
  • cpe:2.3:a:vmware:esxi:4.1
    cpe:2.3:a:vmware:esxi:4.1
  • cpe:2.3:a:vmware:esxi:4.0
    cpe:2.3:a:vmware:esxi:4.0
  • cpe:2.3:a:vmware:esx:3.0.3
    cpe:2.3:a:vmware:esx:3.0.3
  • cpe:2.3:a:vmware:esx:3.5
    cpe:2.3:a:vmware:esx:3.5
  • cpe:2.3:a:vmware:esx:4.0
    cpe:2.3:a:vmware:esx:4.0
  • cpe:2.3:a:vmware:esx:4.1
    cpe:2.3:a:vmware:esx:4.1
CVSS
Base: 6.9 (as of 07-06-2011 - 09:39)
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Access
VectorComplexityAuthentication
LOCAL MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Windows
    NASL id VMWARE_MULTIPLE_VMSA_2011_0009.NASL
    description A VMware product (Player or Workstation) detected on the remote host has multiple vulnerabilities in the Host Guest File System : - An attacker with access to a Guest operating system can determine if a path exists in the Host filesystem and whether it's a file or a directory regardless of permissions. (CVE-2011-2146) - A race condition in mount.vmhgfs may allow an attacker with access to a Guest to mount on arbitrary directories in the Guest filesystem and escalate their privileges if they can control the contents of the mounted directory. (CVE-2011-1787) - A procedural error allows an attacker with access to a Solaris or FreeBSD Guest operating system to gain write access to an arbitrary file in the Guest filesystem. (CVE-2011-2145) These vulnerabilities only affect non-Windows guest operating systems.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 54996
    published 2011-06-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54996
    title VMware Products Multiple Vulnerabilities (VMSA-2011-0009)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_LIBVMTOOLS-DEVEL-110607.NASL
    description This update of open-vm-tools fixes the following vulnerabilities which allowed an attacker to gain root privileges within the guest system : - CVE-2011-1681 - CVE-2011-2146 - CVE-2011-1787 - CVE-2011-2145
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75626
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75626
    title openSUSE Security Update : libvmtools-devel (openSUSE-SU-2011:0617-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_LIBVMTOOLS-DEVEL-110608.NASL
    description This update of open-vm-tools fixes the following vulnerabilities which allowed an attacker to gain root privileges within the guest system : - CVE-2011-1681 - CVE-2011-2146 - CVE-2011-1787 - CVE-2011-2145
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75932
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75932
    title openSUSE Security Update : libvmtools-devel (openSUSE-SU-2011:0617-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_FUSION_3_1_3.NASL
    description The version of VMware Fusion installed on the Mac OS X host is earlier than 3.1.3. As such, it is reportedly affected by the following three security vulnerabilities : - An attacker with access to a Guest operating system can determine if a path exists in the Host filesystem and whether it's a file or a directory regardless of permissions. (CVE-2011-2146) - A race condition in mount.vmhgfs may allow an attacker with access to a Guest to mount on arbitrary directories in the Guest filesystem and escalate their privileges if they can control the contents of the mounted directory. (CVE-2011-1787) - A procedural error allows an attacker with access to a Solaris or FreeBSD Guest operating system to gain write access to an arbitrary file in the Guest filesystem. (CVE-2011-2145) - A buffer overflow in the way UDF file systems are handled could allow for code execution if a specially crafted ISO image is used. (CVE-2011-3868) Note that the first three vulnerabilities only affect non-Windows guest operating systems.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 54974
    published 2011-06-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54974
    title VMware Fusion < 3.1.3 (VMSA-2011-0009 / VMSA-2011-0011)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2011-0009_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Linux Kernel in the do_anonymous_page() function due to improper separation of the stack and the heap. An attacker can exploit this to execute arbitrary code. (CVE-2010-2240) - A packet filter bypass exists in the Linux Kernel e1000 driver due to processing trailing payload data as a complete frame. A remote attacker can exploit this to bypass packet filters via a large packet with a crafted payload. (CVE-2009-4536) - A use-after-free error exists in the Linux Kernel when IPV6_RECVPKTINFO is set on a listening socket. A remote attacker can exploit this, via a SYN packet while the socket is in a listening (TCP_LISTEN) state, to cause a kernel panic, resulting in a denial of service condition. (CVE-2010-1188) - An array index error exists in the Linux Kernel in the gdth_read_event() function. A local attacker can exploit this, via a negative event index in an IOCTL request, to cause a denial of service condition. (CVE-2009-3080) - A race condition exists in the VMware Host Guest File System (HGFS) that allows guest operating system users to gain privileges by mounting a filesystem on top of an arbitrary directory. (CVE-2011-1787) - A flaw exists in the VMware Host Guest File System (HGFS) that allows a Solaris or FreeBSD guest operating system user to modify arbitrary guest operating system files. (CVE-2011-2145) - A flaw exists in the VMware Host Guest File System (HGFS) that allows guest operating system users to disclose host operating system files and directories. (CVE-2011-2146) - A flaw exists in the bundled Tom Sawyer GET Extension Factory that allows a remote attacker to cause a denial of service condition or the execution of arbitrary code via a crafted HTML document. (CVE-2011-2217)
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 89678
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89678
    title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2011-0009) (remote check)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2011-0009.NASL
    description a. VMware vmkernel third-party e1000(e) Driver Packet Filter Bypass There is an issue in the e1000(e) Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. b. ESX third-party update for Service Console kernel This update for the console OS kernel package resolves four security issues. 1) IPv4 Remote Denial of Service An remote attacker can achieve a denial of service via an issue in the kernel IPv4 code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1188 to this issue. 2) SCSI Driver Denial of Service / Possible Privilege Escalation A local attacker can achieve a denial of service and possibly a privilege escalation via a vulnerability in the Linux SCSI drivers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3080 to this issue. 3) Kernel Memory Management Arbitrary Code Execution A context-dependent attacker can execute arbitrary code via a vulnerability in a kernel memory handling function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2240 to this issue. 4) e1000 Driver Packet Filter Bypass There is an issue in the Service Console e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. c. Multiple vulnerabilities in mount.vmhgfs This patch provides a fix for the following three security issues in the VMware Host Guest File System (HGFS). None of these issues affect Windows based Guest Operating Systems. 1) Mount.vmhgfs Information Disclosure Information disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2146 to this issue. 2) Mount.vmhgfs Race Condition Privilege escalation via a race condition that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1787 to this issue. 3) Mount.vmhgfs Privilege Escalation Privilege escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2145 to this issue. VMware would like to thank Dan Rosenberg for reporting these issues. d. VI Client ActiveX vulnerabilities VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user's system within the security context of that user. VMware would like to thank Elazar Broad and iDefense for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2011-2217 to this issue. Affected versions. The vSphere Client which comes with vSphere 4.0 and vSphere 4.1 is not affected. This is any build of vSphere Client Version 4.0.0 and vSphere Client Version 4.1.0. VI Clients bundled with VMware Infrastructure 3 that are not affected are : - VI Client 2.0.2 Build 230598 and higher - VI Client 2.5 Build 204931 and higher The issue can be remediated by replacing an affected VI Client with the VI Client bundled with VirtualCenter 2.5 Update 6 or VirtualCenter 2.5 Update 6a.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 54968
    published 2011-06-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=54968
    title VMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues
refmap via4
bid 48098
confirm http://www.vmware.com/security/advisories/VMSA-2011-0009.html
sectrack 1025601
secunia
  • 44840
  • 44904
suse openSUSE-SU-2011:0617
Last major update 13-11-2014 - 22:00
Published 06-06-2011 - 15:55
Back to Top