VMware Cloud Community
testdostest
Contributor
Contributor
‎01-05-2009 12:35 PM

are you aware about the vmware-authd remote Denial of Service ?

Hi,

Are you guys working on some patch for this new vulnerability ?

milw0rm.com/exploits/7647

Thanks !

Message was edited by: Texiwill - Made link so you have to type it in, going to this site is not always safe

0 Kudos
8 Replies
Texiwill
Leadership
Leadership
‎01-05-2009 01:28 PM

Hello,

Before everyone clicks on that link, I suggest you first either install TOR or do so from a disposable virtual machine. Milw0rm is a great source for finding code that can be used to penetration test systems but it is also a hacker site so use at your own risk.

Update: This is against VMPlayer and VMware Workstation and old versions at that. I am not sure it applies to anything modern..... 2.5.1 of VMplayer and Workstation is pretty old.

One solution is to properly firewall port 912 so that it is not accessible from outside the host.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
testdostest
Contributor
Contributor
‎01-05-2009 03:03 PM

" I am not sure it applies to anything modern..... 2.5.1 of VMplayer and Workstation is pretty old."

http://www.vmware.com/download/player/

it's brand new !

i've tryed this exploit on the last workstation too, and the vmware-authd service got crashed.

So yep it work on the most recent player and workstation Smiley Sad

0 Kudos
kirklarsen
VMware Employee
VMware Employee
‎01-05-2009 04:52 PM

Hi,

Yes, VMware is aware of the issue and working on a fix. Turns out it was a typographical error in using one of our string safe functions. There is NO possibility of code execution.

--Ksl

Kirk Larsen

Product Security Officer

VMware Inc.

0 Kudos
Texiwill
Leadership
Leadership
‎01-06-2009 06:18 AM

Hello,

Kirk, please clarify to what products this applies. The milw0rm site documents some pretty old versions. I figure the best solution at the moment is to deny access to the port from outside the host. Is there any other 'current' mitigation?


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
wila
Immortal
Immortal
‎01-06-2009 06:33 AM

Edward,

VMware player version 2.5.1 is the player that comes with VMware Workstation 6.5.1, so he is right that it is a DOS against current products and not some old version.

--

Wil

_____________________________________________________

Visit the new VMware developers wiki at http://www.vi-toolkit.com

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
kirklarsen
VMware Employee
VMware Employee
‎01-06-2009 01:12 PM

Hi,

ESX is not affected at all. Willa is correct, the 2.5.1 that is mentioned in the exploit is for Player 2.5.1, which corresponds to Workstation 6.5.1. So it's for current hosted product only.

As far as mitigation, restricting the port would do it. Or perhaps a cron job that just cleaned up the core files as it happens, and perhaps restarted authd. Or a cron job that notifies the administrator when a core file is created, and then some ip addresses blocking...

--Ksl

0 Kudos
Texiwill
Leadership
Leadership
‎01-07-2009 06:34 AM

Hello Kirk,

Thank you for clearing this up!


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
ksc
VMware Employee
VMware Employee
‎01-07-2009 03:05 PM

Acutely aware of this one, since I'm implementing the fix!

Ultimately, the effect is only on Windows - on other operating systems, the vmware-authd executable runs as part of inetd (or the equivalent) and is automatically restarted. If the binary does die, the net effect is that you would be unable to reconnect to headless VMs, or to start new VMs as a user without Administrator privileges.

0 Kudos