CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
AI Score
Confidence
High
EPSS
Percentile
94.0%
VMware products installed on the remote host are reportedly affected by multiple vulnerabilities :
A vulnerability in the guest virtual device driver could allow an attacker to use the guest operating system to crash the host operating system. (CVE-2008-3761)
A denial of service vulnerability affects an unspecified IOCTL contained in the ‘hcmon.sys’ driver. An attacker can exploit this in order to deny service on a Windows- based host. (CVE-2009-1146, CVE-2008-3761)
A privilege escalation vulnerability affects the ‘vmci.sys’ driver on Windows-based machines. An attacker can exploit this in order to gain escalated privileges on either the host or the guest. (CVE-2009-1147)
The ‘VNnc’ codec is affected by two heap-based buffer overflow vulnerabilities. An attacker can exploit these to execute arbitrary code on VMware hosted products by tricking a user into opening a malicious file.
(CVE-2009-0909, CVE-2009-0910)
A vulnerability in ACE shared folder may allow attackers to enable previously disabled shared ACE folders. This only affects VMware ACE. (CVE-2009-0908)
A remote denial of service vulnerability affects Windows hosts. An attacker can exploit this to crash the affected host. (CVE-2009-0177)
A vulnerability in the virtual machine display function may allow a guest operating system to run code on the host. (CVE-2009-1244)
A vulnerability in VMware Descheduled Time Accounting Service could be exploited to trigger a denial of service condition in Windows-based virtual machines. It should be noted that, this feature is optional, and the vulnerability can be exploited only if the feature is installed, and the affected service is not running in the virtual machine. (CVE-2009-1805)
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(36117);
script_version("1.28");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/27");
script_cve_id(
"CVE-2008-3761",
"CVE-2008-4916",
"CVE-2009-0177",
"CVE-2009-0518",
"CVE-2009-0908",
"CVE-2009-0909",
"CVE-2009-0910",
"CVE-2009-1146",
"CVE-2009-1147",
"CVE-2009-1244",
"CVE-2009-1805"
);
script_bugtraq_id(34373, 34471, 35141);
script_xref(name:"VMSA", value:"2009-0005");
script_xref(name:"VMSA", value:"2009-0006");
script_xref(name:"VMSA", value:"2009-0007");
script_xref(name:"EDB-ID", value:"6262");
script_xref(name:"EDB-ID", value:"7647");
script_xref(name:"Secunia", value:"33372");
script_name(english:"VMware Products Multiple Vulnerabilities (VMSA-2009-0005/VMSA-2009-0007)");
script_summary(english:"Checks vulnerable versions of multiple VMware products");
script_set_attribute(attribute:"synopsis", value:
"The remote host has an application that is affected by multiple
issues.");
script_set_attribute(attribute:"description", value:
"VMware products installed on the remote host are reportedly affected
by multiple vulnerabilities :
- A vulnerability in the guest virtual device driver could
allow an attacker to use the guest operating system to
crash the host operating system. (CVE-2008-3761)
- A denial of service vulnerability affects an unspecified
IOCTL contained in the 'hcmon.sys' driver. An attacker
can exploit this in order to deny service on a Windows-
based host. (CVE-2009-1146, CVE-2008-3761)
- A privilege escalation vulnerability affects the
'vmci.sys' driver on Windows-based machines. An attacker
can exploit this in order to gain escalated privileges
on either the host or the guest. (CVE-2009-1147)
- The 'VNnc' codec is affected by two heap-based buffer
overflow vulnerabilities. An attacker can exploit these
to execute arbitrary code on VMware hosted products by
tricking a user into opening a malicious file.
(CVE-2009-0909, CVE-2009-0910)
- A vulnerability in ACE shared folder may allow attackers
to enable previously disabled shared ACE folders. This
only affects VMware ACE. (CVE-2009-0908)
- A remote denial of service vulnerability affects Windows
hosts. An attacker can exploit this to crash the
affected host. (CVE-2009-0177)
- A vulnerability in the virtual machine display function
may allow a guest operating system to run code on the
host. (CVE-2009-1244)
- A vulnerability in VMware Descheduled Time Accounting
Service could be exploited to trigger a denial of
service condition in Windows-based virtual machines. It
should be noted that, this feature is optional, and
the vulnerability can be exploited only if the feature
is installed, and the affected service is not running in
the virtual machine. (CVE-2009-1805)");
script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2009-0005.html");
script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2009-0006.html" );
script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2009-0007.html" );
script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/support/ws65/doc/releasenotes_ws652.html" );
script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/pdf/vmware_player250.pdf" );
script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/support/ace25/doc/releasenotes_ace252.html" );
#https://web.archive.org/web/20210225164348/https://www.vmware.com/support/server2/doc/releasenotes_vmserver201.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?95976d4a" );
script_set_attribute(attribute:"solution", value:
"Upgrade to :
- VMware Workstation 6.5.2 or higher.
- VMware Server 2.0.1/1.0.9 or higher.
- VMware Player 2.5.2 or higher.
- VMware ACE 2.5.2 or higher.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-0909");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploithub_sku", value:"EH-14-757");
script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_cwe_id(20, 119, 200, 399);
script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:ace");
script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:vmware_player");
script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:vmware_server");
script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:vmware_workstation");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2009-2024 Tenable Network Security, Inc.");
script_dependencies("vmware_workstation_detect.nasl","vmware_server_win_detect.nasl", "vmware_player_detect.nasl", "vmware_ace_detect.nasl");
script_require_ports("VMware/Server/Version", "VMware/ACE/Version", "VMware/Player/Version", "Host/VMware Workstation/Version", 139, 445);
script_require_keys("SMB/Registry/Enumerated");
exit(0);
}
include("smb_func.inc");
var port = kb_smb_transport();
var report = "";
# Check for VMware Workstation
var version = get_kb_item("Host/VMware Workstation/Version");
if (version)
{
var v = split(version, sep:".", keep:FALSE);
if (( int(v[0]) < 6 ) ||
( int(v[0]) == 6 && int(v[1]) < 5) ||
( int(v[0]) == 6 && int(v[1]) == 5 && int(v[2]) < 2)
)
{
if (report_verbosity > 0)
{
report = strcat('\nVersion ', version,' of VMware Workstation is installed on the remote host.\n');
security_hole(port:port, extra:report);
}
else
security_hole(port);
}
}
# Check for VMware Server
version = get_kb_item("VMware/Server/Version");
if (version)
{
v = split(version, sep:".", keep:FALSE);
if ((int(v[0]) == 2 && int(v[1]) == 0 && int(v[2]) < 1) ||
(
int(v[0]) < 1 ||
(
int(v[0]) == 1 && int(v[1]) == 0 && int(v[2]) < 9
)
)
)
{
if (report_verbosity > 0)
{
report = strcat('\nVersion ', version,' of VMware Server is installed on the remote host.\n');
security_hole(port:port, extra:report);
}
else
security_hole(port);
}
}
# Check for VMware Player
version = get_kb_item("VMware/Player/Version");
if (version)
{
v = split(version, sep:".", keep:FALSE);
if (( int(v[0]) < 2 ) ||
( int(v[0]) == 2 && int(v[1]) < 5) ||
( int(v[0]) == 2 && int(v[1]) == 5 && int(v[2]) < 2)
)
{
if (report_verbosity > 0)
{
report = strcat('\nVersion ', version,' of VMware Player is installed on the remote host.\n');
security_hole(port:port, extra:report);
}
else
security_hole(port);
}
}
#Check for VMware ACE
version = get_kb_item("VMware/ACE/Version");
if (version)
{
v = split(version, sep:".", keep:FALSE);
if (( int(v[0]) < 2) ||
( int(v[0]) == 2 && int(v[1]) < 5 ) ||
( int(v[0]) == 2 && int(v[1]) == 5 && int(v[2]) < 2 )
)
{
if (report_verbosity > 0)
{
report = strcat('\nVersion ', version,' of VMware ACE is installed on the remote host.\n');
security_hole(port:port, extra:report);
}
else
security_hole(port);
}
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3761
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4916
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0177
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0518
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0908
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0909
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0910
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1146
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1147
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1244
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1805
www.nessus.org/u?95976d4a
www.vmware.com/pdf/vmware_player250.pdf
www.vmware.com/security/advisories/VMSA-2009-0005.html
www.vmware.com/security/advisories/VMSA-2009-0006.html
www.vmware.com/security/advisories/VMSA-2009-0007.html
www.vmware.com/support/ace25/doc/releasenotes_ace252.html
www.vmware.com/support/ws65/doc/releasenotes_ws652.html