ID CVE-2013-1659
Summary VMware vCenter Server 4.0 before Update 4b, 5.0 before Update 2, and 5.1 before 5.1.0b; VMware ESXi 3.5 through 5.1; and VMware ESX 3.5 through 4.1 do not properly implement the Network File Copy (NFC) protocol, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption) by modifying the client-server data stream.
References
Vulnerable Configurations
  • cpe:2.3:a:vmware:vcenter_server:4.0
    cpe:2.3:a:vmware:vcenter_server:4.0
  • cpe:2.3:a:vmware:vcenter_server:4.0:update_1
    cpe:2.3:a:vmware:vcenter_server:4.0:update_1
  • cpe:2.3:a:vmware:vcenter_server:4.0:update_2
    cpe:2.3:a:vmware:vcenter_server:4.0:update_2
  • cpe:2.3:a:vmware:vcenter_server:4.0:update_3
    cpe:2.3:a:vmware:vcenter_server:4.0:update_3
  • cpe:2.3:a:vmware:vcenter_server:4.0:update_4
    cpe:2.3:a:vmware:vcenter_server:4.0:update_4
  • cpe:2.3:a:vmware:vcenter_server:4.0:update_4a
    cpe:2.3:a:vmware:vcenter_server:4.0:update_4a
  • VMware vCenter Server Appliance (vCSA) 5.1
    cpe:2.3:a:vmware:vcenter_server_appliance:5.1
  • cpe:2.3:a:vmware:vcenter_server_appliance:5.1.0a
    cpe:2.3:a:vmware:vcenter_server_appliance:5.1.0a
  • VMware vCenter Server 5.0 update 1
    cpe:2.3:a:vmware:vcenter_server:5.0:update_1
  • VMware vCenter Server 5.0
    cpe:2.3:a:vmware:vcenter_server:5.0
  • VMWare ESXi 5.1
    cpe:2.3:o:vmware:esxi:5.1
  • VMWare ESXi 5.0 update 2
    cpe:2.3:o:vmware:esxi:5.0:2
  • VMWare ESXi 5.0 update 1
    cpe:2.3:o:vmware:esxi:5.0:1
  • VMWare ESXi 5.0
    cpe:2.3:o:vmware:esxi:5.0
  • VMWare ESXi 4.1 update 2
    cpe:2.3:o:vmware:esxi:4.1:2
  • VMWare ESXi 4.1 update 1
    cpe:2.3:o:vmware:esxi:4.1:1
  • VMWare ESXi 4.1
    cpe:2.3:o:vmware:esxi:4.1
  • VMWare ESXi 4.0 update 4
    cpe:2.3:o:vmware:esxi:4.0:4
  • VMWare ESXi 4.0 update 3
    cpe:2.3:o:vmware:esxi:4.0:3
  • VMWare ESXi 4.0 update 2
    cpe:2.3:o:vmware:esxi:4.0:2
  • VMWare ESXi 4.0 update 1
    cpe:2.3:o:vmware:esxi:4.0:1
  • VMWare ESXi 4.0
    cpe:2.3:o:vmware:esxi:4.0
  • VMWare ESXi 3.5 update 1
    cpe:2.3:o:vmware:esxi:3.5:1
  • VMWare ESXi 3.5
    cpe:2.3:o:vmware:esxi:3.5
  • VMWare ESXi 4.1
    cpe:2.3:o:vmware:esxi:4.1
  • VMWare ESXi 4.0 update 4
    cpe:2.3:o:vmware:esxi:4.0:4
  • VMWare ESXi 4.0 update 3
    cpe:2.3:o:vmware:esxi:4.0:3
  • VMWare ESXi 4.0 update 2
    cpe:2.3:o:vmware:esxi:4.0:2
  • VMWare ESXi 4.0 update 1
    cpe:2.3:o:vmware:esxi:4.0:1
  • VMWare ESXi 4.0
    cpe:2.3:o:vmware:esxi:4.0
  • VMWare ESXi 3.5 update 1
    cpe:2.3:o:vmware:esxi:3.5:1
  • VMWare ESXi 3.5
    cpe:2.3:o:vmware:esxi:3.5
CVSS
Base: 7.6 (as of 25-02-2013 - 10:12)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Misc.
    NASL id VMWARE_VCENTER_VMSA-2013-0003.NASL
    description The version of VMware vCenter installed on the remote host is 4.0 before update 4b, 5.0 before update 2, or 5.1 before 5.1.0b. Such versions are potentially affected by a denial of service vulnerability due to an issue in webservice logging. By exploiting this flaw, a remote, unauthenticated attacker could crash the affected host.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 65223
    published 2013-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65223
    title VMware vCenter Server NFC Protocol Code Execution (VMSA-2013-0003)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2013-0003.NASL
    description a. VMware vCenter, ESXi and ESX NFC protocol memory corruption vulnerability VMware vCenter Server, ESXi and ESX contain a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between vCenter Server and the client or ESXi/ESX and the client. Exploitation of the issue may lead to code execution. To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network VMware would like to thank Alex Chapman of Context Information Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1659 to this issue. b. VirtualCenter, ESX and ESXi Oracle (Sun) JRE update 1.5.0_38 Oracle (Sun) JRE is updated to version 1.5.0_38, which addresses multiple security issues that existed in earlier releases of Oracle (Sun) JRE. Oracle has documented the CVE identifiers that are addressed in JRE 1.5.0_38 in the Oracle Java SE Critical Patch Update Advisory of October 2012. c. Update to ESX service console OpenSSL RPM The service console OpenSSL RPM is updated to version openssl-0.9.7a.33.28.i686 to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-2110 to this issue.
    last seen 2019-02-21
    modified 2018-08-16
    plugin id 64812
    published 2013-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64812
    title VMSA-2013-0003 : VMware vCenter Server, ESXi and ESX address an NFC Protocol memory corruption and third-party library security issues.
  • NASL family Misc.
    NASL id VMWARE_ESXI_5_1_BUILD_911593_REMOTE.NASL
    description The remote VMware ESXi 5.1 host is affected by the following security vulnerabilities : - An input validation error exists in the function 'png_set_text_2' in the libpng library that could allow memory corruption and arbitrary code execution. (CVE-2011-3048) - A privilege escalation vulnerability exists in the Virtual Machine Communication Interface (VMCI). A local attacker can exploit this, via control code, to change allocated memory, resulting in the escalation of privileges. (CVE-2013-1406) - An error exists related to Network File Copy (NFC) handling that could allow denial of service attacks or arbitrary code execution. (CVE-2013-1659)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 70888
    published 2013-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70888
    title ESXi 5.1 < Build 911593 Multiple Vulnerabilities (remote check)
  • NASL family Misc.
    NASL id VMWARE_ESXI_5_0_BUILD_912577_REMOTE.NASL
    description The remote VMware ESXi 5.0 host is affected by Multiple Vulnerabilities : - An integer overflow condition exists in the __tzfile_read() function in the glibc library. An unauthenticated, remote attacker can exploit this, via a crafted timezone (TZ) file, to cause a denial of service or the execution of arbitrary code. (CVE-2009-5029) - ldd in the glibc library is affected by a privilege escalation vulnerability due to the omission of certain LD_TRACE_LOADED_OBJECTS checks in a crafted executable file. Note that this vulnerability is disputed by the library vendor. (CVE-2009-5064) - A remote code execution vulnerability exists in the glibc library due to an integer signedness error in the elf_get_dynamic_info() function when the '--verify' option is used. A remote attacker can exploit this by using a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header. (CVE-2010-0830) - A flaw exists in OpenSSL due to a failure to properly prevent modification of the ciphersuite in the session cache when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled. A remote attacker can exploit this to force a downgrade to an unintended cipher by intercepting the network traffic to discover a session identifier. (CVE-2010-4180) - A flaw exists in OpenSSL due to a failure to properly validate the public parameters in the J-PAKE protocol when J-PAKE is enabled. A remote attacker can exploit this, by sending crafted values in each round of the protocol, to bypass the need for knowledge of the shared secret. (CVE-2010-4252) - A out-of-bounds memory error exists in OpenSSL that allows a remote attacker to cause a denial of service or possibly obtain sensitive information by using a malformed ClientHello handshake message. This is also known as the 'OCSP stapling vulnerability'. (CVE-2011-0014) - A flaw exists in the addmntent() function in the glibc library due to a failure to report the error status for failed attempts to write to the /etc/mtab file. A local attacker can exploit this to corrupt the file by using writes from a process with a small RLIMIT_FSIZE value. (CVE-2011-1089) - A flaw exists in the png_set_text_2() function in the file pngset.c in the libpng library due to a failure to properly allocate memory. An unauthenticated, remote attacker can exploit this, via a crafted text chunk in a PNG image file, to trigger a heap-based buffer overflow, resulting in denial of service or the execution of arbitrary code. (CVE-2011-3048) - A flaw exists in the DTLS implementation in OpenSSL due to performing a MAC check only if certain padding is valid. A remote attacker can exploit this, via a padding oracle attack, to recover the plaintext. (CVE-2011-4108) - A double-free error exists in OpenSSL when the X509_V_FLAG_POLICY_CHECK is enabled. A remote attacker can exploit this by triggering a policy check failure, resulting in an unspecified impact. (CVE-2011-4109) - A flaw exists in OpenSSL in the SSL 3.0 implementation due to improper initialization of data structures used for block cipher padding. A remote attacker can exploit this, by decrypting the padding data sent by an SSL peer, to obtain sensitive information. (CVE-2011-4576) - A denial of service vulnerability exists in OpenSSL when RFC 3779 support is enabled. A remote attacker can exploit this to cause an assertion failure, by using an X.509 certificate containing certificate extension data associated with IP address blocks or Autonomous System (AS) identifiers. (CVE-2011-4577) - A denial of service vulnerability exists in the RPC implementation in the glibc library due to a flaw in the svc_run() function. A remote attacker can exploit this, via large number of RPC connections, to exhaust CPU resources. (CVE-2011-4609) - A denial of service vulnerability exists in the Server Gated Cryptography (SGC) implementation in OpenSSL due to a failure to properly handle handshake restarts. A remote attacker can exploit this, via unspecified vectors, to exhaust CPU resources. (CVE-2011-4619) - A denial of service vulnerability exists in OpenSSL due to improper support of DTLS applications. A remote attacker can exploit this, via unspecified vectors related to an out-of-bounds read error. Note that this vulnerability exists because of an incorrect fix for CVE-2011-4108. (CVE-2012-0050) - A security bypass vulnerability exists in the glibc library due to an integer overflow condition in the vfprintf() function in file stdio-common/vfprintf.c. An attacker can exploit this, by using a large number of arguments, to bypass the FORTIFY_SOURCE protection mechanism, allowing format string attacks or writing to arbitrary memory. (CVE-2012-0864) - A denial of service vulnerability exists in the glibc library in the vfprintf() function in file stdio-common/vfprintf.c due to a failure to properly calculate a buffer length. An attacker can exploit this, via a format string that uses positional parameters and many format specifiers, to bypass the FORTIFY_SOURCE format-string protection mechanism, thus causing stack corruption and a crash. (CVE-2012-3404) - A denial of service vulnerability exists in the glibc library in the vfprintf() function in file stdio-common/vfprintf.c due to a failure to properly calculate a buffer length. An attacker can exploit this, via a format string with a large number of format specifiers, to bypass the FORTIFY_SOURCE format-string protection mechanism, thus triggering desynchronization within the buffer size handling, resulting in a segmentation fault and crash. (CVE-2012-3405) - A flaw exists in the glibc library in the vfprintf() function in file stdio-common/vfprintf.c due to a failure to properly restrict the use of the alloca() function when allocating the SPECS array. An attacker can exploit this, via a crafted format string using positional parameters and a large number of format specifiers, to bypass the FORTIFY_SOURCE format-string protection mechanism, thus triggering a denial of service or the possible execution of arbitrary code. (CVE-2012-3406) - A flaw exists in the glibc library due to multiple integer overflow conditions in the strtod(), strtof(), strtold(), strtod_l(), and other unspecified related functions. A local attacker can exploit these to trigger a stack-based buffer overflow, resulting in an application crash or the possible execution of arbitrary code. (CVE-2012-3480) - A privilege escalation vulnerability exists in the Virtual Machine Communication Interface (VMCI) due to a failure by control code to properly restrict memory allocation. A local attacker can exploit this, via unspecified vectors, to gain privileges. (CVE-2013-1406) - An error exists in the implementation of the Network File Copy (NFC) protocol. A man-in-the-middle attacker can exploit this, by modifying the client-server data stream, to cause a denial of service or the execution of arbitrary code. (CVE-2013-1659)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 70885
    published 2013-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70885
    title ESXi 5.0 < Build 912577 Multiple Vulnerabilities (remote check)
  • NASL family Misc.
    NASL id VMWARE_ESX_VMSA-2013-0003_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several components and third-party libraries : - Java Runtime Environment (JRE) - Network File Copy (NFC) Protocol - OpenSSL
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 89663
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89663
    title VMware ESX / ESXi NFC and Third-Party Libraries Multiple Vulnerabilities (VMSA-2013-0003) (remote check)
refmap via4
confirm http://www.vmware.com/security/advisories/VMSA-2013-0003.html
vmware via4
description VMware vCenter ServerESXi and ESX contain a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerabilityan attacker must intercept and modify the NFC traffic between vCenter Server and the client or ESXi/ESX and the client. Exploitation of the issue may lead to code execution.
finder
company Context Information Security
name Alex Chapman
id VMSA-2013-0003
last_updated 2013-02-21T00:00:00
published 2013-02-21T00:00:00
title VMware vCenterESXi and ESX NFC protocol memory corruption vulnerability
workaround To reduce the likelihood of exploitationvSphere components should be deployed on an isolated management network
Last major update 25-02-2013 - 00:00
Published 22-02-2013 - 15:55
Back to Top