Hi,
Are you guys working on some patch for this new vulnerability ?
milw0rm.com/exploits/7647
Thanks !
Message was edited by: Texiwill - Made link so you have to type it in, going to this site is not always safe
Hello,
Before everyone clicks on that link, I suggest you first either install TOR or do so from a disposable virtual machine. Milw0rm is a great source for finding code that can be used to penetration test systems but it is also a hacker site so use at your own risk.
Update: This is against VMPlayer and VMware Workstation and old versions at that. I am not sure it applies to anything modern..... 2.5.1 of VMplayer and Workstation is pretty old.
One solution is to properly firewall port 912 so that it is not accessible from outside the host.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll
Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links
" I am not sure it applies to anything modern..... 2.5.1 of VMplayer and Workstation is pretty old."
http://www.vmware.com/download/player/
it's brand new !
i've tryed this exploit on the last workstation too, and the vmware-authd service got crashed.
So yep it work on the most recent player and workstation
Hi,
Yes, VMware is aware of the issue and working on a fix. Turns out it was a typographical error in using one of our string safe functions. There is NO possibility of code execution.
--Ksl
Kirk Larsen
Product Security Officer
VMware Inc.
Hello,
Kirk, please clarify to what products this applies. The milw0rm site documents some pretty old versions. I figure the best solution at the moment is to deny access to the port from outside the host. Is there any other 'current' mitigation?
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll
Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links
Edward,
VMware player version 2.5.1 is the player that comes with VMware Workstation 6.5.1, so he is right that it is a DOS against current products and not some old version.
--
Wil
_____________________________________________________
Visit the new VMware developers wiki at http://www.vi-toolkit.com
Hi,
ESX is not affected at all. Willa is correct, the 2.5.1 that is mentioned in the exploit is for Player 2.5.1, which corresponds to Workstation 6.5.1. So it's for current hosted product only.
As far as mitigation, restricting the port would do it. Or perhaps a cron job that just cleaned up the core files as it happens, and perhaps restarted authd. Or a cron job that notifies the administrator when a core file is created, and then some ip addresses blocking...
--Ksl
Hello Kirk,
Thank you for clearing this up!
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll
Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links
Acutely aware of this one, since I'm implementing the fix!
Ultimately, the effect is only on Windows - on other operating systems, the vmware-authd executable runs as part of inetd (or the equivalent) and is automatically restarted. If the binary does die, the net effect is that you would be unable to reconnect to headless VMs, or to start new VMs as a user without Administrator privileges.