• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: VMware Products Page Fault Exception Local Privilege Escalation Vulnerability

Severity: HIGH

Description:

VMware is a set of server-emulation applications available for several platforms.

Multiple VMware products are prone to a privilege-escalation vulnerability because they fail to properly handle certain page faults. This issue arises in 'Virtual-8086' mode.

An attacker can exploit this issue to run arbitrary code with superuser privileges. Successful attacks will completely compromise affected computers.

Note that this issue does not affect the host operating system.

Affected Products:

• VMWare ACE 2.5.0 build 118166
• VMWare ACE 2.5.1
• VMWare ACE 2.5.2
• VMWare ACE 2.5.2 build 156735
• VMWare ESX Server 2.0.0
• VMWare ESX Server 2.0.0 build 5257
• VMWare ESX Server 2.0.1
• VMWare ESX Server 2.0.1 build 6403
• VMWare ESX Server 2.0.2
• VMWare ESX Server 2.0.2 Patch 1
• VMWare ESX Server 2.0.2 Patch 2
• VMWare ESX Server 2.0.2 Patch 4
• VMWare ESX Server 2.0.2 Patch 5
• VMWare ESX Server 2.0.2 Patch 8
• VMWare ESX Server 2.1.0
• VMWare ESX Server 2.1.1
• VMWare ESX Server 2.1.2
• VMWare ESX Server 2.1.3
• VMWare ESX Server 2.1.3 Patch 1
• VMWare ESX Server 2.1.3 Patch 2
• VMWare ESX Server 2.1.3 Patch 4
• VMWare ESX Server 2.1.3 Patch 5
• VMWare ESX Server 2.1.3 Patch 8
• VMWare ESX Server 2.5.0
• VMWare ESX Server 2.5.2
• VMWare ESX Server 2.5.2 Patch 4
• VMWare ESX Server 2.5.3
• VMWare ESX Server 2.5.3 Patch 13
• VMWare ESX Server 2.5.3 Patch 2
• VMWare ESX Server 2.5.3 Patch 4
• VMWare ESX Server 2.5.3 Patch 5
• VMWare ESX Server 2.5.3 Patch 6
• VMWare ESX Server 2.5.3 Patch 7
• VMWare ESX Server 2.5.3 Patch 8
• VMWare ESX Server 2.5.4
• VMWare ESX Server 2.5.4 Patch 1
• VMWare ESX Server 2.5.4 Patch 10
• VMWare ESX Server 2.5.4 Patch 16
• VMWare ESX Server 2.5.4 Patch 17
• VMWare ESX Server 2.5.4 Patch 3
• VMWare ESX Server 2.5.4 Patch 5
• VMWare ESX Server 2.5.4 patch 13
• VMWare ESX Server 2.5.4 patch 15
• VMWare ESX Server 2.5.4 patch 19
• VMWare ESX Server 2.5.4 patch 21
• VMWare ESX Server 2.5.5
• VMWare ESX Server 2.5.5 patch 10
• VMWare ESX Server 2.5.5 patch 11
• VMWare ESX Server 2.5.5 patch 12
• VMWare ESX Server 2.5.5 patch 13
• VMWare ESX Server 2.5.5 patch 2
• VMWare ESX Server 2.5.5 patch 4
• VMWare ESX Server 2.5.5 patch 5
• VMWare ESX Server 2.5.5 patch 6
• VMWare ESX Server 2.5.5 patch 8
• VMWare ESX Server 2.5.5 patch 9
• VMWare ESX Server 3.0.0
• VMWare ESX Server 3.0.1
• VMWare ESX Server 3.0.2
• VMWare ESX Server 3.0.2 ESX-1008420
• VMWare ESX Server 3.0.3
• VMWare ESX Server 3.0.3
• VMWare ESX Server 3.0.3 ESX303-200812406-BG
• VMWare ESX Server 3.0.3 ESX303-200905401-SG
• VMWare ESX Server 3.5
• VMWare ESX Server 3.5 ESX350-200904401-BG
• VMWare ESX Server 3.5 ESX350-200906407-S
• VMWare ESX Server 4.0
• VMWare ESX Server 4.0
• VMWare ESXi Server 3.5
• VMWare ESXi Server 3.5 ESXe350-200904402-T-BG
• VMWare ESXi Server 4.0
• VMWare Fusion 2
• VMWare Fusion 2.0.2 build 147997
• VMWare Fusion 2.0.3
• VMWare Fusion 2.0.4
• VMWare Fusion 2.0.5
• VMWare Fusion 2.0.6
• VMWare Player 2.5.0 build 118166
• VMWare Player 2.5.1
• VMWare Player 2.5.2
• VMWare Player 2.5.2 build 156735
• VMWare Player 2.5.3
• VMWare Server 1.0.2
• VMWare Server 1.0.3
• VMWare Server 1.0.4
• VMWare Server 1.0.5
• VMWare Server 1.0.5 Build 80187
• VMWare Server 1.0.6
• VMWare Server 1.0.6 build 91891
• VMWare Server 1.0.7
• VMWare Server 1.0.7 build 108231
• VMWare Server 1.0.8
• VMWare Server 1.0.8 build 126538
• VMWare Server 1.0.9
• VMWare Server 1.0.9 build 156507
• VMWare Server 2.0
• VMWare Server 2.0.1
• VMWare Server 2.0.1 build 156745
• VMWare Workstation 6.5.0 build 118166
• VMWare Workstation 6.5.1
• VMWare Workstation 6.5.2
• VMWare Workstation 6.5.2 build 156735
• VMWare Workstation 6.5.3

References:

• Tavis Ormandy: Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation
• VMware: VMware Homepage
• VMware: [Security-announce] VMSA-2009-0015 VMware hosted products and ESX patches resolv

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.