ID CVE-2012-2450
Summary VMware Workstation 8.x before 8.0.3, VMware Player 4.x before 4.0.3, VMware Fusion 4.x before 4.1.2, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 do not properly register SCSI devices, which allows guest OS users to cause a denial of service (invalid write operation and VMX process crash) or possibly execute arbitrary code on the host OS by leveraging administrative privileges on the guest OS.
References
Vulnerable Configurations
  • VMWare Workstation 8.0
    cpe:2.3:a:vmware:workstation:8.0
  • VMWare Workstation 8.0.1
    cpe:2.3:a:vmware:workstation:8.0.1
  • VMWare Workstation 8.0.2
    cpe:2.3:a:vmware:workstation:8.0.2
  • VMware Player 4.0
    cpe:2.3:a:vmware:player:4.0
  • VMware Player 4.0.1
    cpe:2.3:a:vmware:player:4.0.1
  • VMware Player 4.0.2
    cpe:2.3:a:vmware:player:4.0.2
  • VMware Fusion 4.0
    cpe:2.3:a:vmware:fusion:4.0
  • VMware Fusion 4.0.1
    cpe:2.3:a:vmware:fusion:4.0.1
  • VMware Fusion 4.0.2
    cpe:2.3:a:vmware:fusion:4.0.2
  • VMware Fusion 4.1
    cpe:2.3:a:vmware:fusion:4.1
  • VMware Fusion 4.1.1
    cpe:2.3:a:vmware:fusion:4.1.1
  • VMWare ESXi 3.5
    cpe:2.3:o:vmware:esxi:3.5
  • VMWare ESXi 3.5 update 1
    cpe:2.3:o:vmware:esxi:3.5:1
  • VMWare ESXi 4.0
    cpe:2.3:o:vmware:esxi:4.0
  • VMWare ESXi 4.0 update 1
    cpe:2.3:o:vmware:esxi:4.0:1
  • VMWare ESXi 4.0 update 2
    cpe:2.3:o:vmware:esxi:4.0:2
  • VMWare ESXi 4.0 update 3
    cpe:2.3:o:vmware:esxi:4.0:3
  • VMWare ESXi 4.0 update 4
    cpe:2.3:o:vmware:esxi:4.0:4
  • VMWare ESXi 4.1
    cpe:2.3:o:vmware:esxi:4.1
  • VMWare ESXi 4.1 update 1
    cpe:2.3:o:vmware:esxi:4.1:1
  • VMWare ESXi 4.1 update 2
    cpe:2.3:o:vmware:esxi:4.1:2
  • VMWare ESXi 5.0
    cpe:2.3:o:vmware:esxi:5.0
  • VMWare ESX 3.5
    cpe:2.3:o:vmware:esx:3.5
  • VMWare ESX 3.5 update1
    cpe:2.3:o:vmware:esx:3.5:update1
  • VMWare ESX 3.5 update2
    cpe:2.3:o:vmware:esx:3.5:update2
  • VMWare ESX 3.5 update3
    cpe:2.3:o:vmware:esx:3.5:update3
  • VMWare ESX 4.0
    cpe:2.3:o:vmware:esx:4.0
  • VMWare ESX 4.1
    cpe:2.3:o:vmware:esx:4.1
CVSS
Base: 9.0 (as of 07-05-2012 - 09:55)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2012-0009.NASL
    description a. VMware host memory overwrite vulnerability (data pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate data pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Configure virtual machines to use less than 4 GB of memory. Virtual machines that have less than 4GB of memory are not affected. OR - Disable VIX messages from each guest VM by editing the configuration file (.vmx) for the virtual machine as described in VMware Knowledge Base article 1714. Add the following line : isolation.tools.vixMessage.disable = 'TRUE'. Note: This workaround is not valid for Workstation 7.x and Fusion 3.x Mitigation - Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1516 to this issue. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. b. VMware host memory overwrite vulnerability (function pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate function pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - None identified Mitigation - Do not allow untrusted users access to your virtual machines. Root or Administrator level permissions are not required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1517 to this issue. VMware would like to thank Derek Soeder of Ridgeway Internet Security, L.L.C. for reporting this issue to us. c. ESX NFS traffic parsing vulnerability Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. Workaround - None identified Mitigation - Connect only to trusted NFS servers - Segregate the NFS network - Harden your NFS server The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2448 to this issue. d. VMware floppy device out-of-bounds memory write Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Mitigation - Do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2449 to this issue. e. VMware SCSI device unchecked memory write Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround - Remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Mitigation - Do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2450 to this issue.
    last seen 2019-02-21
    modified 2018-08-07
    plugin id 58977
    published 2012-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58977
    title VMSA-2012-0009 : VMware Workstation, Player, Fusion, ESXi and ESX patches address critical security issues
  • NASL family Windows
    NASL id VMWARE_PLAYER_MULTIPLE_VMSA_2012_0009.NASL
    description The VMware Player install detected on the remote host is 3.x earlier than 3.1.6, or 4.0.x earlier than 4.0.3 and is, therefore, potentially affected by the following vulnerabilities : - Memory corruption errors exist related to the RPC commands handler function which could cause the application to crash or possibly allow an attacker to execute arbitrary code. Note that these errors only affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517) - An error in the virtual floppy device configuration can allow out-of-bounds memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges in the guest are required for successful exploitation along with the existence of a virtual floppy device in the guest. (CVE-2012-2449) - An error in the virtual SCSI device registration process can allow improper memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges are required in the guest for successful exploitation along with the existence of a virtual SCSI device in the guest. (CVE-2012-2450)
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 59091
    published 2012-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59091
    title VMware Player Multiple Vulnerabilities (VMSA-2012-0009)
  • NASL family Misc.
    NASL id VMWARE_ESXI_5_0_BUILD_702118_REMOTE.NASL
    description The remote VMware ESXi 5.0 host is affected by the following security vulnerabilities : - An error exists related to NFS traffic handling that could allow memory corruption leading to execution of arbitrary code. (CVE-2012-2448) - Out-of-bounds write errors exist related to virtual floppy disc devices and virtual SCSI devices that could allow local privilege escalation. (CVE-2012-2449, CVE-2012-2450)
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 70882
    published 2013-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70882
    title ESXi 5.0 < Build 702118 Multiple Vulnerabilities (remote check)
  • NASL family Windows
    NASL id VMWARE_WORKSTATION_MULTIPLE_VMSA_2012_0009.NASL
    description The VMware Workstation install detected on the remote host is 7.x earlier than 7.1.6 or 8.0.x earlier than 8.0.3 and is, therefore, potentially affected by the following vulnerabilities : - Memory corruption errors exist related to the RPC commands handler function which could cause the application to crash or possibly allow an attacker to execute arbitrary code. Note that these errors only affect the 3.x branch. (CVE-2012-1516, CVE-2012-1517) - An error in the virtual floppy device configuration can allow out-of-bounds memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges in the guest are required for successful exploitation along with the existence of a virtual floppy device in the guest. (CVE-2012-2449) - An error in the virtual SCSI device registration process can allow improper memory writes and can allow a guest user to crash the VMX process or potentially execute arbitrary code on the host. Note that root or administrator level privileges are required in the guest for successful exploitation along with the existence of a virtual SCSI device in the guest. (CVE-2012-2450)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 59092
    published 2012-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59092
    title VMware Workstation Multiple Vulnerabilities (VMSA-2012-0009)
  • NASL family Gain a shell remotely
    NASL id VMWARE_ESX_NFS_RCE.NASL
    description The remote VMware ESX/ESXi host is affected by the following security vulnerabilities : - ESX NFS traffic parsing vulnerability: Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic. (CVE-2012-2448) - VMware floppy device out-of-bounds memory write: Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual floppy drive from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users in your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2449) - VMware SCSI device unchecked memory write: Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. As a workaround, remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general. Additionally, do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue. (CVE-2012-2450)
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 59447
    published 2012-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=59447
    title VMSA-2012-0009 : ESXi and ESX patches address critical security issues (uncredentialed check)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2012-0009_REMOTE.NASL
    description The remote VMware ESX / ESXi host is affected by multiple vulnerabilities : - Multiple privilege escalation vulnerabilities exist due to improper handling of RPC commands. A local attacker (guest user) can exploit these to manipulate data and function pointers, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-1516, CVE-2012-1517) - A remote code execution vulnerability exists due to improper sanitization of user-supplied input when parsing NFS traffic. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. (CVE-2012-2448) - Multiple privilege escalation vulnerabilities exist due to an error that occurs in virtual floppy devices and SCSI devices. A local attacker (guest user) can exploit these to cause an out-of-bounds write error, resulting in a denial of service condition or the execution of arbitrary code on the host OS. (CVE-2012-2449, CVE-2012-2450)
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 89035
    published 2016-02-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89035
    title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0009) (remote check)
oval via4
accepted 2013-07-29T04:00:54.353-04:00
class vulnerability
contributors
name Maria Kedovskaya
organization ALTX-SOFT
definition_extensions
  • comment VMware Workstation is installed
    oval oval:org.mitre.oval:def:16277
  • comment VMware Player is installed
    oval oval:org.mitre.oval:def:17194
description VMware Workstation 8.x before 8.0.3, VMware Player 4.x before 4.0.3, VMware Fusion 4.x before 4.1.2, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 do not properly register SCSI devices, which allows guest OS users to cause a denial of service (invalid write operation and VMX process crash) or possibly execute arbitrary code on the host OS by leveraging administrative privileges on the guest OS.
family windows
id oval:org.mitre.oval:def:16852
status accepted
submitted 2013-06-20T10:26:26.748+04:00
title VMware SCSI device unchecked memory write
version 6
refmap via4
bid 53369
confirm http://www.vmware.com/security/advisories/VMSA-2012-0009.html
osvdb 81695
sectrack 1027019
secunia 49032
xf esxserver-scsi-priv-esc(75377)
vmware via4
description Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.
id VMSA-2012-0009
last_updated 2012-06-13T00:00:00
published 2012-05-03T00:00:00
title VMware SCSI device unchecked memory write
workaround Remove the virtual SCSI controller from the list of virtual IO devices. The VMware hardening guides recommend removing unused virtual IO devices in general.Mitigation Do not allow untrusted root users access to your virtual machines. Root or Administrator level permissions are required to exploit this issue.
Last major update 02-11-2013 - 23:24
Published 04-05-2012 - 12:55
Last modified 13-12-2017 - 21:29
Back to Top