VMware Multiple Vulnerabilities
Updated: October 02, 2012
Severity Rating: Medium
Multiple vulnerabilities have been identified in VMware and they can be exploited by remote attackers to cause gain knowledge of sensitive information, gain elevated privileges and cause execution of arbitrary code. An update has been released to address these vulnerabilities.
Multiple vulnerabilities have been identified in VMware products and they can be exploited by remote attackers to gain knowledge of sensitive information, obtain privileges on the vulnerable systems and cause execution of arbitrary code. The vulnerabilities reported are as follows:
- An information disclosure vulnerability has been identified in several VMware-hosted products. The vulnerability can be exploited by remote attackers to disclose memory from the host’s ‘vmware vmx’ process to a guest operating system or the network. Successful exploitation of the vulnerability allows the attackers to gain knowledge of sensitive information that can help in conducting further attacks.
- A remote format string vulnerability has been identified in VMware Remote Console. Successful exploitation of this vulnerability allows remote attackers to cause execution of arbitrary code. Unsuccessful attempts can cause denial of service conditions.
- A cross-site scripting vulnerability has been reported in VMware View. The vulnerability exists because it fails to sanitize user-supplied data properly. This vulnerability can be exploited by remote attackers to cause execution of arbitrary script code in the browser of an unsuspected user in the context of an affected site. Successful exploitation of this vulnerability can allow the remote attacker to steal cookie-based authentication credentials and conduct other attacks.
- A local privilege-escalation vulnerability has been identified in multiple VMware products and it can be exploited by remote attackers to cause execution of arbitrary code with elevated privileges.
An update has been released to address the multiple vulnerabilities identified.
- VMWare Workstation for Linux 6.5
- VMWare Workstation for Linux 0
- VMWare Workstation 6.5.3
- VMWare Workstation 6.5.2
- VMWare Workstation 6.5.1
- VMWare Workstation 6.5 build 118166
- VMWare Workstation 7.0
- VMWare Workstation 6.5.3 build 185404
- VMWare Workstation 6.5.2 build 156735
- VMWare Server 2.0.2 Build 203138
- VMWare Server 2.0.2
- VMWare Server 2.0.1 build 156745
- VMWare Server 2.0.1
- VMWare Server 2.0
- VMWare Player for Linux 2.5
- VMWare Player for Linux 0
- VMWare Player 2.5.4
- VMWare Player 2.5.3
- VMWare Player 2.5.2 build 156735
- VMWare Player 2.5.2
- VMWare Player 2.5.1
- VMWare Player 2.5 build 118166
- VMWare Player 3.0
- VMWare Player 2.5.3 build 185404
- VMWare Fusion 2.0.6 Build 196839
- VMWare Fusion 2.0.6
- VMWare Fusion 2.0.5
- VMWare Fusion 2.0.4
- VMWare Fusion 2.0.3
- VMWare Fusion 2.0.2 build 147997
- VMWare Fusion 3.0
- VMWare Fusion 2
- VMWare ACE 2.5.3 Build 185404
- VMWare ACE 2.5.2 build 156735
- VMWare ACE 2.5.2
- VMWare ACE 2.5.1
- VMWare ACE 2.5 build 118166
- VMWare ACE 2.6
- Gentoo Linux
- VMWare View 3.1.2
- VMWare View 3.1.1
Users are advised to apply updates.
More information about the update is available on:
The information provided herein is on "as is" basis, without warranty of any kind.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street