ID CVE-2012-2449
Summary VMware Workstation 8.x before 8.0.3, VMware Player 4.x before 4.0.3, VMware Fusion 4.x through 4.1.2, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 do not properly configure the virtual floppy device, which allows guest OS users to cause a denial of service (out-of-bounds write operation and VMX process crash) or possibly execute arbitrary code on the host OS by leveraging administrative privileges on the guest OS.
References
Vulnerable Configurations
  • VMWare Workstation 8.0
    cpe:2.3:a:vmware:workstation:8.0
  • VMWare Workstation 8.0.1
    cpe:2.3:a:vmware:workstation:8.0.1
  • VMWare Workstation 8.0.2
    cpe:2.3:a:vmware:workstation:8.0.2
  • VMware Player 4.0
    cpe:2.3:a:vmware:player:4.0
  • VMware Player 4.0.1
    cpe:2.3:a:vmware:player:4.0.1
  • VMware Player 4.0.2
    cpe:2.3:a:vmware:player:4.0.2
  • VMware Fusion 4.0
    cpe:2.3:a:vmware:fusion:4.0
  • VMware Fusion 4.0.1
    cpe:2.3:a:vmware:fusion:4.0.1
  • VMware Fusion 4.0.2
    cpe:2.3:a:vmware:fusion:4.0.2
  • VMware Fusion 4.1
    cpe:2.3:a:vmware:fusion:4.1
  • VMware Fusion 4.1.1
    cpe:2.3:a:vmware:fusion:4.1.1
  • VMware Fusion 4.1.2
    cpe:2.3:a:vmware:fusion:4.1.2
  • VMWare ESXi 3.5
    cpe:2.3:o:vmware:esxi:3.5
  • VMWare ESXi 3.5 update 1
    cpe:2.3:o:vmware:esxi:3.5:1
  • VMWare ESXi 4.0
    cpe:2.3:o:vmware:esxi:4.0
  • VMWare ESXi 4.0 update 1
    cpe:2.3:o:vmware:esxi:4.0:1
  • VMWare ESXi 4.0 update 2
    cpe:2.3:o:vmware:esxi:4.0:2
  • VMWare ESXi 4.0 update 3
    cpe:2.3:o:vmware:esxi:4.0:3
  • VMWare ESXi 4.0 update 4
    cpe:2.3:o:vmware:esxi:4.0:4
  • VMWare ESXi 4.1
    cpe:2.3:o:vmware:esxi:4.1
  • VMWare ESXi 4.1 update 1
    cpe:2.3:o:vmware:esxi:4.1:1
  • VMWare ESXi 4.1 update 2
    cpe:2.3:o:vmware:esxi:4.1:2
  • VMWare ESXi 5.0
    cpe:2.3:o:vmware:esxi:5.0
  • VMWare ESX 3.5
    cpe:2.3:o:vmware:esx:3.5
  • VMWare ESX 3.5 update1
    cpe:2.3:o:vmware:esx:3.5:update1
  • VMWare ESX 3.5 update2
    cpe:2.3:o:vmware:esx:3.5:update2
  • VMWare ESX 3.5 update3
    cpe:2.3:o:vmware:esx:3.5:update3
  • VMWare ESX 4.0
    cpe:2.3:o:vmware:esx:4.0
  • VMWare ESX 4.1
    cpe:2.3:o:vmware:esx:4.1
CVSS
Base: 9.0 (as of 07-05-2012 - 09:49)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_FUSION_4_1_3.NASL
    description The version of VMware Fusion 4.x installed on the Mac OS X host is earlier than 4.1.3, and is therefore reportedly affected by the following vulnerabilities : - Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2449) - A memory corruption error exists related to the handling of 'Checkpoint' files that can allow arbitrary code execution. (CVE-2012-3288)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 59818
    published 2012-07-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59818
    title VMware Fusion 4.x < 4.1.3 (VMSA-2012-0009, VMSA-2012-0011)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2012-0009.NASL
    description a. VMware host memory overwrite vulnerability (data pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate data pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Configure virtual machines to use less than 4 GB of memory. Virtual machines that have less than 4GB of memory are not affected. OR - Disable VIX messages from each guest VM by editing the configuration file (.vmx) for the virtual machine as described in VMware Knowledge Base article 1714. Add the following line : isolation.tools.vixMessage.disable = 'TRUE'. Note: This workaround is not valid for Workstation 7.x and Fusion 3.x Mitigation - Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1516 to this issue. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. b. VMware host memory overwrite vulnerability (function pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate function pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - None identified Mitigation - Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1517 to this issue. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. c. ESX NFS traffic parsing vulnerability Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. Workaround - None identified Mitigation - Connect only to trusted NFS servers - Segregate the NFS network - Harden your NFS server The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2448 to this issue. d. VMware floppy device out-of-bounds memory write Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Mitigation - Do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2449 to this issue. e. VMware SCSI device unchecked memory write Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Mitigation - Do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2450 to this issue.
    last seen 2019-02-21
    modified 2018-08-07
    plugin id 58977
    published 2012-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58977
    title VMSA-2012-0009 : VMware Workstation, Player, Fusion, ESXi and ESX patches address critical security issues
  • NASL family Windows
    NASL id VMWARE_PLAYER_MULTIPLE_VMSA_2012_0009.NASL
    description The VMware Player install detected on the remote host is 3.x earlier than 3.1.6, or 4.0.x earlier than 4.0.3 and is, therefore, potentially affected by the following vulnerabilities : - Memory corruption errors exist related to the RPC commands handler function which could cause the application to crash or possibly allow an attacker to execute arbitrary code. Note that these errors only affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517) - An error in the virtual floppy device configuration can allow out-of-bounds memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges in the guest are required for successful exploitation along with the existence of a virtual floppy device in the guest. (CVE-2012-2449) - An error in the virtual SCSI device registration process can allow improper memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges are required in the guest for successful exploitation along with the existence of a virtual SCSI device in the guest. (CVE-2012-2450)
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 59091
    published 2012-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59091
    title VMware Player Multiple Vulnerabilities (VMSA-2012-0009)
  • NASL family Misc.
    NASL id VMWARE_ESXI_5_0_BUILD_702118_REMOTE.NASL
    description The remote VMware ESXi 5.0 host is affected by the following security vulnerabilities : - An error exists related to NFS traffic handling that could allow memory corruption leading to execution of arbitrary code. (CVE-2012-2448) - Out-of-bounds write errors exist related to virtual floppy disc devices and virtual SCSI devices that could allow local privilege escalation. (CVE-2012-2449, CVE-2012-2450)
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 70882
    published 2013-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70882
    title ESXi 5.0 < Build 702118 Multiple Vulnerabilities (remote check)
  • NASL family Windows
    NASL id VMWARE_WORKSTATION_MULTIPLE_VMSA_2012_0009.NASL
    description The VMware Workstation install detected on the remote host is 7.x earlier than 7.1.6 or 8.0.x earlier than 8.0.3 and is, therefore, potentially affected by the following vulnerabilities : - Memory corruption errors exist related to the RPC commands handler function which could cause the application to crash or possibly allow an attacker to execute arbitrary code. Note that these errors only affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517) - An error in the virtual floppy device configuration can allow out-of-bounds memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges in the guest are required for successful exploitation along with the existence of a virtual floppy device in the guest. (CVE-2012-2449) - An error in the virtual SCSI device registration process can allow improper memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges are required in the guest for successful exploitation along with the existence of a virtual SCSI device in the guest. (CVE-2012-2450)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 59092
    published 2012-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59092
    title VMware Workstation Multiple Vulnerabilities (VMSA-2012-0009)
  • NASL family Gain a shell remotely
    NASL id VMWARE_ESX_NFS_RCE.NASL
    description The remote VMware ESX/ESXi host is affected by the following security vulnerabilities : - ESX NFS traffic parsing vulnerability: Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. (CVE-2012-2448) - VMware floppy device out-of-bounds memory write: Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2449) - VMware SCSI device unchecked memory write: Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2450)
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 59447
    published 2012-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59447
    title VMSA-2012-0009 : ESXi and ESX patches address critical security issues (uncredentialed check)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2012-0009_REMOTE.NASL
    description The remote VMware ESX / ESXi host is affected by multiple vulnerabilities : - Multiple privilege escalation vulnerabilities exist due to improper handling of RPC commands. A local attacker (guest user) can exploit these to manipulate data and function pointers, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-1516, CVE-2012-1517) - A remote code execution vulnerability exists due to improper sanitization of user-supplied input when parsing NFS traffic. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2012-2448) - Multiple privilege escalation vulnerabilities exist due to an error that occurs in virtual floppy devices and SCSI devices. A local attacker (guest user) can exploit these to cause an out-of-bounds write error, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-2449, CVE-2012-2450)
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 89035
    published 2016-02-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89035
    title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0009) (remote check)
oval via4
accepted 2013-07-29T04:00:54.943-04:00
class vulnerability
contributors
name Maria Kedovskaya
organization ALTX-SOFT
definition_extensions
  • comment VMware Workstation is installed
    oval oval:org.mitre.oval:def:16277
  • comment VMware Player is installed
    oval oval:org.mitre.oval:def:17194
description VMware Workstation 8.x before 8.0.3, VMware Player 4.x before 4.0.3, VMware Fusion 4.x through 4.1.2, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 do not properly configure the virtual floppy device, which allows guest OS users to cause a denial of service (out-of-bounds write operation and VMX process crash) or possibly execute arbitrary code on the host OS by leveraging administrative privileges on the guest OS.
family windows
id oval:org.mitre.oval:def:16863
status accepted
submitted 2013-06-20T10:26:26.748+04:00
title VMware Workstation, Player patches address security issues
version 6
refmap via4
bid 53369
confirm http://www.vmware.com/security/advisories/VMSA-2012-0009.html
osvdb 81694
sectrack 1027019
secunia 49032
xf vmware-esxserver-floppy-priv-esc(75376)
vmware via4
description Due to a flaw in the handling of NFS trafficit is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic.
id VMSA-2012-0009
last_updated 2012-06-13T00:00:00
published 2012-05-03T00:00:00
title VMware floppy device out-of-bounds memory write
Last major update 02-11-2013 - 23:24
Published 04-05-2012 - 12:55
Last modified 13-12-2017 - 21:29
Back to Top