• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: VMware Products In-Guest Privilege Escalation and Information Disclosure Vulnerabilities

Severity: MODERATE

Description:

VMware is a set of server-emulation applications available for several platforms.

Various VMware products are prone to multiple vulnerabilities that may allow attackers to gain elevated privileges in a guest operating system and obtain sensitive information. The following specific issues were reported:

1. An in-guest privilege-escalation vulnerability can allow local attackers to gain elevated privileges in a guest operating system. This issue arises because the application's CPU hardware emulation may allow a virtual CPU to jump to an incorrect memory address. Specifically, if an indirect jump transfers execution to a noncanonical Return Instruction Pointer (RIP), a vulnerable version of the application may improperly execute the instruction and cause a general protection fault, allowing access to kernel data structures. An attacker may exploit the issue by repeatedly calling noncanonical RIPs. The vulnerability can be exploited only on x64 versions of an operating system.

Note that this issue does not allow attackers to gain access to the host operating system. The attacker must have an account on the guest operating system.

This issue affects versions prior to:

Workstation 6.0.5 build 109488
Workstation 5.5.8 build 108000
Player 2.0.5 build 109488
Player 1.0.8 build 108000
Server 1.0.7 build 108231
ESXi 3.5 ESXe350-200809401-I-SG
ESX 3.5 ESX350-200809404-SG
ESX 3.0.3 ESX303-200809401
ESX 3.0.2 ESX-1006361
ESX 3.0.1 ESX-1006678
VirtualCenter 2.5 Update 3 build 119838

2. An information-disclosure vulnerability affects the VirtualCenter client and arises when a user logs in to the VirtualCenter server. Due to an unspecified error, user passwords containing certain special characters may be displayed in clear text in a dialog box. This could allow local attackers within close proximity of the user to see the user's password.

This issue affects versions prior to:

VirtualCenter 2.5 Update 3 build 119838

Affected Products:

• VMWare ESX Server 3.0.1
• VMWare ESX Server 3.0.2
• VMWare ESX Server 3.0.3
• VMWare ESX Server 3.5
• VMWare ESXi Server 3.5
• VMWare Player 1.0.1 Build 19317
• VMWare Player 1.0.2
• VMWare Player 1.0.3
• VMWare Player 1.0.4
• VMWare Player 1.0.5
• VMWare Player 1.0.6
• VMWare Player 1.0.6 Build 80404
• VMWare Player 1.0.7 build 91707
• VMWare Player 2.0.0
• VMWare Player 2.0.1
• VMWare Player 2.0.2
• VMWare Player 2.0.3 Build 80004
• VMWare Player 2.0.4
• VMWare Player 2.0.4 build 93057
• VMWare Player 2.0.5
• VMWare Server 1.0.2
• VMWare Server 1.0.3
• VMWare Server 1.0.4
• VMWare Server 1.0.5
• VMWare Server 1.0.5 Build 80187
• VMWare Server 1.0.6
• VMWare Server 1.0.6 build 91891
• VMWare Server 1.0.7
• VMWare VirtualCenter 2.5
• VMWare VirtualCenter 2.5 Update 1
• VMWare VirtualCenter 2.5 Update 2
• VMWare VirtualCenter 2.5 Update 5
• VMWare Workstation 5.5.3 build 34685
• VMWare Workstation 5.5.3 build 42958
• VMWare Workstation 5.5.4
• VMWare Workstation 5.5.4 build 44386
• VMWare Workstation 5.5.5
• VMWare Workstation 5.5.6
• VMWare Workstation 5.5.6 Build 80404
• VMWare Workstation 5.5.7
• VMWare Workstation 5.5.7 build 91707
• VMWare Workstation 5.5.8
• VMWare Workstation 6.0.0
• VMWare Workstation 6.0.0.45731
• VMWare Workstation 6.0.1
• VMWare Workstation 6.0.2
• VMWare Workstation 6.0.3
• VMWare Workstation 6.0.3 Build 80004
• VMWare Workstation 6.0.4
• VMWare Workstation 6.0.4 build 93057
• VMWare Workstation 6.0.5

References:

• Derek Soeder: VMware Emulation Flaw x64 Guest Privilege Escalation (1/2)
• VMware: VMware Homepage

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.