ID CVE-2013-1405
Summary VMware vCenter Server 4.0 before Update 4b and 4.1 before Update 3a, VMware VirtualCenter 2.5, VMware vSphere Client 4.0 before Update 4b and 4.1 before Update 3a, VMware VI-Client 2.5, VMware ESXi 3.5 through 4.1, and VMware ESX 3.5 through 4.1 do not properly implement the management authentication protocol, which allow remote servers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
References
Vulnerable Configurations
  • cpe:2.3:a:vmware:vcenter_server:4.0:update_4
    cpe:2.3:a:vmware:vcenter_server:4.0:update_4
  • cpe:2.3:a:vmware:vcenter_server:4.1:update_3
    cpe:2.3:a:vmware:vcenter_server:4.1:update_3
  • cpe:2.3:a:vmware:virtualcenter:2.5
    cpe:2.3:a:vmware:virtualcenter:2.5
  • VMware vSphere Client 4.0
    cpe:2.3:a:vmware:vsphere_client:4.0:update_4
  • VMware vSphere Client 4.1
    cpe:2.3:a:vmware:vsphere_client:4.1:update_3
  • cpe:2.3:a:vmware:vi-client:2.5
    cpe:2.3:a:vmware:vi-client:2.5
  • VMWare ESXi 3.5
    cpe:2.3:o:vmware:esxi:3.5
  • VMWare ESXi 3.5 update 1
    cpe:2.3:o:vmware:esxi:3.5:1
  • VMWare ESXi 4.0 update 2
    cpe:2.3:o:vmware:esxi:4.0:2
  • VMWare ESXi 4.0 update 1
    cpe:2.3:o:vmware:esxi:4.0:1
  • VMWare ESXi 4.0
    cpe:2.3:o:vmware:esxi:4.0
  • VMWare ESXi 4.0 update 4
    cpe:2.3:o:vmware:esxi:4.0:4
  • VMWare ESXi 4.0 update 3
    cpe:2.3:o:vmware:esxi:4.0:3
  • VMWare ESXi 4.1
    cpe:2.3:o:vmware:esxi:4.1
  • VMWare ESX 3.5
    cpe:2.3:o:vmware:esx:3.5
  • VMWare ESX 3.5 update3
    cpe:2.3:o:vmware:esx:3.5:update3
  • VMWare ESX 3.5 update1
    cpe:2.3:o:vmware:esx:3.5:update1
  • VMWare ESX 3.5 update2
    cpe:2.3:o:vmware:esx:3.5:update2
  • VMWare ESX 4.0
    cpe:2.3:o:vmware:esx:4.0
  • VMWare ESX 4.1
    cpe:2.3:o:vmware:esx:4.1
CVSS
Base: 10.0 (as of 15-02-2013 - 11:21)
Impact:
Exploitability:
CWE CWE-287
CAPEC
  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Windows
    NASL id VSPHERE_CLIENT_VMSA_2013-0001.NASL
    description The version of vSphere Client installed on the remote Windows host is potentially affected by a memory corruption issue in the authentication mechanism.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 64559
    published 2013-02-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64559
    title VMware vSphere Client Memory Corruption (VMSA-2013-0001)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2013-0001.NASL
    description a. VMware vSphere client-side authentication memory corruption vulnerability VMware vCenter Server, vSphere Client, and ESX contain a vulnerability in the handling of the management authentication protocol. To exploit this vulnerability, an attacker must convince either vCenter Server, vSphere Client or ESX to interact with a malicious server as a client. Exploitation of the issue may lead to code execution on the client system. To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2013-1405 to this issue. b. Update to ESX/ESXi libxml2 userworld and service console The ESX/ESXi userworld libxml2 library has been updated to resolve multiple security issues. Also, the ESX service console libxml2 packages are updated to the following versions : libxml2-2.6.26-2.1.15.el5_8.5 libxml2-python-2.6.26-2.1.15.el5_8.5 These updates fix multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-3102 and CVE-2012-2807 to these issues. c. Update to ESX service console bind packages The ESX service console bind packages are updated to the following versions : bind-libs-9.3.6-20.P1.el5_8.2 bind-utils-9.3.6-20.P1.el5_8.2 These updates fix a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-4244 to this issue. d. Update to ESX service console libxslt package The ESX service console libxslt package is updated to version libxslt-1.1.17-4.el5_8.3 to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-1202, CVE-2011-3970, CVE-2012-2825, CVE-2012-2870, and CVE-2012-2871 to these issues.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 64642
    published 2013-02-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64642
    title VMSA-2013-0001 : VMware vSphere security updates for the authentication service and third-party libraries
  • NASL family Misc.
    NASL id VMWARE_ESX_VMSA-2013-0001_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several components and third-party libraries : - Authentication Service - bind - libxml2 - libxslt
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 89661
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89661
    title VMware ESX / ESXi Authentication Service and Third-Party Libraries Multiple Vulnerabilities (VMSA-2013-0001) (remote check)
refmap via4
confirm http://www.vmware.com/security/advisories/VMSA-2013-0001.html
vmware via4
description VMware vCenter ServervSphere Clientand ESX contain a vulnerability in the handling of the management authentication protocol. To exploit this vulnerabilityan attacker must convince either vCenter ServervSphere Client or ESX to interact with a malicious server as a client. Exploitation of the issue may lead to code execution on the client system.
id VMSA-2013-0001
last_updated 2013-05-30T00:00:00
published 2013-01-31T00:00:00
title VMware vSphere client-side authentication memory corruption vulnerability
workaround To reduce the likelihood of exploitationvSphere components should be deployed on an isolated management network.
Last major update 15-02-2013 - 00:00
Published 15-02-2013 - 07:09
Back to Top