Skip Ribbon Commands
Skip to main content
Computer Security Incident Response Team of Mauritius (CERT-MU)

Multiple Vulnerabilities in VMware
 
Date: 20.01.04
 
Severity Rating: Medium
 
Overview:
 
Multiple vulnerabilities have been identified in VMware and they can be exploited by remote attackers to cause denial of service conditions and conduct cross-site request forgery attacks. VMware has released an update to address these vulnerabilities.
 
Description:
 
Multiple vulnerabilities have been identified in VMware and they can be exploited by remote attackers to cause denial of service conditions and conduct cross-site request forgery attacks. The vulnerabilities reported are as follows:
·         The first vulnerability can allow remote attackers to conduct a man-in-the-middle attack between ESX/ESXi and the client and can modify Network File Copy (NFC) traffic to trigger a null pointer dereference and cause denial of service conditions.
·         The second vulnerability exists because of a flaw in the handling of invalid ports. This vulnerability can allow remote attackers to cause the VMX process to fail and partially deny service on the host.
·         The third vulnerability exists in VMware Workstation/Player/Fusion and this can allow remote attackers on the guest system to cause partial denial of service conditions on the host system.
·         Another vulnerability in VMware vCloud Director and this can allow remote attackers to conduct cross-site request forgery attacks. Successful exploitation of this vulnerability can allow remote attackers to take actions on the management interface acting as the user.
VMware has released an update to address these vulnerabilities.
 
Affected Systems:
 
  • VMware ESX/ESXi 4.0, 4.1, ESXi 5.0, 5.1
  • VMware Workstation 9.x prior to 9.0.1, Player 5.x prior to 5.0.1, Fusion 5.x prior to 5.0.1
  • VMware vCloud Director version 5.1.x prior to 5.1.3
 
CVE Information
 
 
Solution
 
Users are advised to apply updates.
More information about the update is available on:
 
 
References
 
Security Tracker
 
 
VMware Security Advisories
 
 
Disclaimer
 
The information provided herein is on "as is" basis, without warranty of any kind.
 
Contact Information
 
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
9th Floor, Stratton Court
La Poudriere Street
Port Louis